Tonight, Google has discovered and blocked a new family of insidious Android spyware, called Lipizzan, that can surveil and capture user text messages, emails, voice calls, photos, location data, and other files. You know, pretty much everything. And while it appeared on relatively few devices, Lipizzan has all the hallmarks of the type of professional, targeted malware reserved for deep-pocketed countries.
Finding malware that targets only a few hundred devices turns out to be a tough job; it requires sifting though hundreds of millions of apps using machine learning, app certificate comparison, and other tools to analyze aggregate data from large populations of mobile devices. That's how Google spotted Lipizzan, which it described in a blog post and presented with mobile security firm Lookout at the Black Hat security conference in Las Vegas on Wednesday. And all signs point to it being the work of a cyberarms group called Equus Technologies.
"We can leverage the big coverage of the Android ecosystem to find potentially harmful apps," says Megan Ruthven, a software engineer on Google's Android Security team. Ruthven noted also that Lipizzan included references to Equus Technologies, and was found on devices that had also been infected with other specialized types of spyware.
Lipizzan is a two-stage spyware attack, meaning that it gains full access to a target device in two steps. In the first, attackers spread downloads for innocuous-looking apps—with names like "Backup" or "Cleaner"—through various Android app stores, including the official Google Play store. Once the attackers trick targets into downloading the malicious app, Lipizzan automatically downloads the second stage. At this point, the app scans the target device to ensure that it can't detect the second stage in action. If not, Lipizzan then uses known Android exploits to root the device, and start sending data about the victim back out to a command and control server.
Android Security says it has blocked all related developers and apps from Android, and Google Play Protect, the automatic app-scanning and management feature Android rolled out last week, has pulled Lipizzan from all devices. As a result, the Lipizzan family only affected 0.000007 percent of all Android devices, according to Google.
But don't conflate limited spread with lack of success. Targeted tools like Lipizzan are expensive to develop and purchase, and are generally used by well-funded criminal actors or nation states to surveil high-profile targets. They aren't created to be used for widespread bulk surveillance; more scale makes them more easily identifiable. Lipizzan has more in common with previous precision malware, like Lookout-discovered Pegasus on iOS and Chrysaor on Android, than
"A lot of this stuff that we’re looking for, a lot of these targeted attacks, are being used in very specific and low-prevalence situations on very few devices," says Andrew Blaich, a security researcher at Lookout. "What’s enabling finding them out there now in the wild is that companies are using their big data for this ability to find these attacks. We’re able to [develop] a baseline like what should be normal for a device? What should we expect? And then that helps us surface anomalous apps."
Lookout's Pegasus and Chrysaor research is still evolving, and the methodologies to identify new targeted spyware apps are already leading to discoveries like Lipizzan. You may never personally end up in that targeted 0.000007 percent, but given the far-reaching access these apps obtain, it's well worth it to shut them down.
