Spyware infected approximately 100 devices, Google says
Specifically, Google says it came across a new form of Android spyware called Lipizzan which the company says is somehow linked to an Israeli company working with governments and intelligence agencies across the world.
An in-depth analysis of the malware reveals that apps managed to get past Google’s filters and become available for download in the Play Store using a new approach that relies on two-stage infection process.
“The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a ‘Backup’ or ‘Cleaner’ app, ” Google explains.
“Upon installation, Lipizzan would download and load a second ‘license verification’ stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.”
Once it infected a device, the spyware could record calls and even sound from the device microphone, track the location, take screenshots and photos with the camera, fetch device information and user details like calls, contacts, text messages, and app data. It could target applications like WhatsApp, Gmail, Skype, and Telegram.
The search firm says that after blocking the first wave of apps infected with this spyware, cybercriminals attempted to upload a second batch of infected apps but with some tweaks to bypass Play Store filters, including new names and encrypted stage 2 process.
Google says that fewer than 100 devices were infected, which accounts for 0.000007% of Android devices, and the company managed to remove the infection with Google Play Protect completely, while also blocking the install on other devices.
