Google’s Android Security team announced the discovery of a new powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company that describes itself on its LinkedIn page as being specialised “in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations,” according to Bleeping Computer.
Google says its engineers discovered only a small number of cases where Lipizzan was deployed, and they intervened and removed the apps from victims’ devices using a new Android security feature called Google Play Protect.
In total, Google engineers discovered 20 apps infected with Lipizzan, found only on fewer than 100 devices. Some of these apps were available through the official Google Play Store.
Bleeping Computer report says the Lipizzan-infested apps managed to squeeze past Google’s security checks because the spyware used a classic trick for bypassing Google’s Bouncer security system, and that was by splitting malicious behavior into a second-stage component.
First-stage Lipizzan apps came with legitimate code, which Google Bouncer did not flag as malicious. Once Lipizzan was on a user’s device it would download a secont-stage component under the disguise of a “license verification” step.
In reality, this second-stage component would scan the user’s device for certain data, and if the phone passed certain checks, the second-stage component would root the user’s device utilizing known exploit packages.
Google says that it detected two waves of apps infected with Lipizzan uploaded to the Play Store, and the second wave included technical modifications to the second-stage component’s modus operandi. This means Lippizan’s operators were aware that Google had detected their malware, and were actively developing ways to bypass Google’s security system.
It is unclear who was operating the malware, or what was the purpose of deploying it on the official Google Play Store.