Google has blocked a new family of spyware that abused distribution channels like the Play Store to target Android users.

On 26 July, the tech giant announced it had detected 20 apps infected with Lipizzan spyware. Google has since blocked those apps and their developers from the Android ecosystem. It has also notified the fewer than 100 devices affected by Lipizzan that checked into Google’s Play Protect, a native security package for Android devices, and removed the spyware for them.

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a ‘Backup’ or ‘Cleaner’ app. Upon installation, Lipizzan would download and load a second ‘license verification’ stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

After Android security blocked this wave of apps, their authors changed the branding of the implant apps to “alarm manager” and “notepad” offerings. These updated programs all relegated their second stages to encrypted blobs for which their first stages received an AES key and IV. Notwithstanding those changes, Google detected the new round of apps and blocked them, as well.

All of the programs infected with Lipizzan, which might have some ties to digital arms firm Equus Technologies, were capable of recording calls, recording from the microphone, taking screenshots, and retrieving data from Gmail, Messenger, Skype, and even encrypted messaging apps like Telegram and WhatsApp, among other functions.

Users who wish to protect themselves against threats like Lipizzan should opt into Google’s Play Protect and download apps only from Google’s Play Store.

News of Lipizzan follows several months after Google’s discovery of Chrysaor, a family of Android spyware which is believed to have been developed by the creators of Pegasus spyware and the Trident attack sequence targeting iOS devices.

(Story via Tripwire)