Lippizan: Sophisticated, targeted spyware on Google Play

Google has discovered targeted spyware on Google Play that is likely the work of Equus Technologies, an Israeli cyber surveillance technology dealer.

The malware, dubbed Lipizzan, was also discovered on and removed from fewer than 100 Android devices through the use of the Google Play Protect security suite for Android devices.

targeted spyware Google Play

The spyware’s capabilities

Aside from rooting the targeted device, Lippizan can:

  • Record calls (even VoIP calls)
  • Record sounds via the device’s microphone
  • Take screenshots and photos
  • Collect device and user information
  • Retrieve data from a variety of popular mail and IM apps (Gmail, Messenger, Skype, Telegram, Viber, Threema, etc.)

Targeted infection

“The first stage [of the spyware] (…) was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a ‘Backup’ or ‘Cleaner’ app. Upon installation, Lipizzan would download and load a second ‘license verification’ stage, which would survey the infected device and validate certain abort criteria,” the company explained in a blog post.

“If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.”

After Google removed from Google Play the first batch of Lippizan-carrying apps, the developers tried to upload new apps with some tweaks meant to make them fly under the radar.

“The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps,” Google noted.

“The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.”

But they were flagged again almost immediately, and Google blocked the developer’s account.

Google says that they were able to spot the malicious apps through a combination of machine learning, app certificate comparison, and aggregate mobile data analysis.

Lippizan was discovered during Google’s and Lookout’s investigation into Chrysaor (aka Pegasus for Android), a powerful espionage app believed to be the work of Israel-based firm NSO Group.

The two companies provides an in-depth look into their investigation to the audience at Black Hat this week.