| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
Google's Android Security team announced today the discovery of a new powerful Android spyware — named Lipizzan — which Google claims to be linked to Equus Technologies, an Israeli company that describes itself on its LinkedIn page as beign specialized "in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations."
Google says its engineers discovered only a small number of cases where Lipizzan was deployed, and they intervened and removed the apps from victims' devices using a new Android security feature calledGoogle Play Protect.
In total, Google engineers discovered 20 apps infected with Lipizzan, found only on fewer than 100 devices. Some of these apps were available through the official Google Play Store.
Lipizzan apps found on the official Google Play Store
The Lipizzan-infested apps managed to squeeze past Google's security checks because the spyware used a classic trick for bypassing Google's Bouncer security system, and that was by splitting malicious behavior into a second-stage component.
First-stage Lipizzan apps came with legitimate code, which Google Bouncer did not flag as malicious. Once Lipizzan was on a user's device it would download a secont-stage component under the disguise of a "license verification" step.
In reality, this second-stage component would scan the user's device for certain data, and if the phone passed certain checks, the second-stage component would root the user's device utilizing known exploit packages.
Lipizzan is a powerful spyware utility
Once Lipizzan gained root privileges, the malware had the ability to perform the following operations:
VOIP recording
Recording from the device microphone
Location monitoring
Taking screenshots
Taking photos with the device camera(s)
Fetching device information and files
Fetching user information (contacts, call logs, SMS, application-specific data)
Retrieve data from each of the following apps: Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype, Snapchat, StockEmail, Telegram, Threema, Viber, and Whatsapp.
Google says that it detected two waves of apps infected with Lipizzan uploaded to the Play Store, and the second wave included technical modifications to the second-stage component's modus operandi. This means Lippizan's operators were aware that Google had detected their malware, and were actively developing ways to bypass Google's security system.
It is unclear who was operating the malware, or what was the purpose of deploying it on the official Google Play Store.
