Google recently took down 20 professionally developed malicious Android apps that were capable of spying on a target's location and messages.
After discovering a family of spyware thought to have been built by shady "cyber arms" dealer NSO Group, Google says it's found a similar class of spyware from another cyber arms firm, Equus Technologies, also known as Equus Software, which it calls Lipizzan.
Threat researchers at Google found 20 Lipizzan apps -- dressed up as seemingly harmless utilities -- on the Google Play Store. They've since removed them and blocked the developer accounts linked to the apps.
While it's not uncommon that adware is found on Google Play, Lipizzan apps could pose a more serious threat to anyone targeted with it. Once installed, this spyware family is capable of monitoring and exfiltrating email, SMS, location data, voice calls, and media, including taking screenshots, using the device's camera, and fetching device and user information.
The malware also employed techniques to retrieve data from popular messaging and chat apps, including Gmail, Hangouts, LinkedIn, Messenger, Skype, Snapchat, Telegram, Viber, WhatsApp, and more.
To entice users, the apps were given names like "data saver", "backup plus", "thunder backup", "note plus", and "device cleaner".
The malware loads in two stages and also packed several known exploits enabling the attackers to root the infected devices.
"Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server," explained Google researchers.
Google details a minor skirmish with the spyware sellers over access to the Play Store. After blocking one set of the malicious apps from the store, the developers uploaded a new set of apps with slightly different names and tweaked how the malware was delivered.
"The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV," said Google researchers.
Fortunately, in this instance, Google blocked the apps before they'd been installed on more than 100 Android devices. For anyone interested, Google calculated Lippizan apps affected 0.000007 percent of Android devices.
That's a better result than the numerous occasions third-party researchers have identified malware present on Play Store, resulting in thousands and sometimes millions of infections before Google cleans up the mess. Though notably, many third-party finds are adware rather than targeted spyware with Lipizzan's capabilities
Google used its Play Protect app to notify affected users and remove the malicious apps from their devices.