Back in April, researchers at Google discovered an Android malware, called Chrysaor, that could give an attacker remote control of the infected device. Android Security was able to find and block potentially harmful apps (PHAs) with that family of spyware, but in the process of doing so discovered a new spyware family called Lipizzan.
Researchers believe that the new spyware is unrelated to Chrysaor, and has the ability to monitor and exfiltrate a user’s email, SMS messages, location, voice calls, and media. The code behind the spyware has been traced to a cyber arms company, Equus Technologies.
On the Android Developers blog, researchers say that the newly discovered spyware works in two stages. It is firstly distributed through several channels, including Google Play, and hides behind a harmless app like “Backup” or “Cleaner”. After installing such an app, Lipizzan would load a second “licence verification” stage, which check out the infected device and validates certain abort criteria. Once the all-clear is given, the spyware proceeds to root the device with known exploits to take control of the device and exfiltrate data to a Command & Control server.
Once Lipizzan gains full control of the infected device, it has the ability to record call, track the user’s location, take screenshots and photos with the device’s camera, fetch information and files stored in the device and other user information such as contact, call logs and more. Researchers say that the PHA had specific routines to retrieve data from apps like Gmail, LinkedIn, Skype, Snapchat, and WhatsApp.
The most notable thing about the new spyware is how easily…