Android is being targeted by a wave of malware designed by cyber arms companies that can evade the Google Play security processes by infecting devices in a two-stage process.
The warning comes after Google discovered a new form of Android malware, called Lipizzan, that can record phone calls, monitor the device's location, retrieve data from popular apps and even make recordings from the device's microphone.
Google has claimed that the spyware is linked to Israeli cyber arms company called Equus Technologies.
Google found the Android spyware as part of its investigation into the Chrysaor spyware, which was believed to have been written by another cyber arms company, NSO Group.
Google Play Protect detected Lipizzan in 20 different apps that had been distributed in a targeted fashion to fewer than 100 devices.
The first part of the two-stage spyware tool was what seemed like an innocuous-sounding app, such as ‘Backup' or ‘Cleaner', on the Google Play store and several other channels.
Once installed, the app would download and load a second ‘licence verification' stage, which would survey the infected device and validate certain abort criteria.
Then, if it is given the all-clear, the second stage would root the device with known exploits and begin to exfiltrate device data to a command and control server.
The second stage was capable of performing and exfiltrating the results of:
- Call recording;
- VoIP recording;
- Recording from the device microphone;
- Location monitoring, taking screenshots;
- Taking photos with the device camera(s);
- Fetching device information and files; and,
- Fetching user-information, such as contacts, call logs and text messages.
The spyware could also retrieve data from the likes of Gmail, LinkedIn, Messenger, Skype, Snapchat, Viber and WhatsApp.
Google said it had blocked the developers and apps from the Android ecosystem. It said that Google Play Protect had notified all affected devices and removed the Lipizzan apps.
Google advised users to ensure that they're opted into Google Play Protect, that they only use the Google Play store to download apps, keep ‘unknown sources' disabled when not in use, and keep their device patched to the latest Android security update.
The Computing Cloud & Infrastructure Summit returns on Wednesday 20 September at the Hilton London Tower Bridge. Hear the latest Computing research, case studies from industry pioneers, and pose your questions to our expert CIO panellists. Attendance is free to qualifying IT leaders and senior IT professionals, but places are strictly limited, so register now
Ecostress instrument will provide new insights into water usage and plant health on Earth
Chinese cyber espionage group Thrip targeting satellite communications, telecoms and defence companies
Symantec warning over state-sponsored hackers targeting satellite operators' control systems
Letter to House of Commons Treasure Committee explains cause of payments glitch earlier this month
Would you want to live in a world without memes?