BEWARE! Android Spyware Can Steal Your Data

BEWARE! Android Spyware Can Steal Your Data

Nobody likes it when the private data in his/her mobile is viewed or stolen by unknown people. And now, an Android spyware has been found to be spying on all crucial details of phones that it targets. For now, cybersecurity researchers at Google have uncovered and blocked this spyware but Android users need to be careful.

What can this malware do?

Known as Lipizzan, this malware monitor and steals information about the target‘s texts, emails, and other messages. It also shares information about contacts with criminal hackers. It can listen to users’ calls and record them without the knowledge of users. Lipizzan takes screenshots and records audio and video, along with monitoring the location of the user.

Google said that this malware also steals data from many social networking apps including Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype, Snapchat, stock email, Telegram, Threema, Viber, and Whatsapp.

What is the degree of threat posed by Lipizzan?

Although Lipizzan could not infect as many devices as much as Chrysaor did, it targeted a specific set of mobiles. In past, Chrysaor had appeared as an Android version of the Pegasus mobile spyware that was spying on iPhones belonging to activists in the Middle East.

Although Google did not mention the set of phones or Android users targeted by Lipizzan in their blog, some threat researchers claimed to have found in the code to Equus Technologies, which was described as a “cyber arms company”.

How can Lipizzan infect a device?

With the “sophisticated two-stage spyware tool” that Lipizzan has been described as, its distribution spreads across various platforms including the official Google Play Store where it hides its malicious nature by appearing disguised as a basic app such as a backup or cleaning tool. So far, about 20 different apps have been found that were designed to deliver the malware.

These malicious apps bypassed Google Play protection features because the compromise does not occur until the app is downloaded into a device.

Once installed, Lipizzan downloads and loads a second “license verification” which inspects the device. After that, it is rooted and connected to a command-and-control server, which is used for the exfiltration of data about communications and calls on the phone.

The menace of Lipizzan:

Although Google blocked the first set of Lipizzan related apps, within a week new versions of this malware resurfaced.

This time, apps were designed to look like notepads, sound recorders, and alarm managers. Seeing this, researchers pointed out that the creators of malware had a method to easily change the branding of the implant apps.

The new wave of the apps also changed the delivery of the malware. Earlier, the stage two of installing this app downloaded an unencrypted version of a file. This time, malware was encrypted deep within app and users were being instructed to run an Advanced Encryption Standard key to unlock the package.

However, Google caught the rogue apps and remove them from the store shortly after they were uploaded. The search giant said that its Google Play Protect feature actively blocked new installs of Lipizzan on devices.

Potential remedy against Lipizzan and other malware:

Google has issued advice on protecting Android users against Lipizzan and other malware. It is still not known who was targeted by Equus and how did they convince their victims to download malware. Google has urged users to opt for Google Play Protect and to download apps only from Google Play Store. It is being advised that Android users must keep their phone patched with the latest version of the operating system.

What are your thoughts about Lipizzan? Share with us.

To talk about Android security, join our LinkedIn page.