Thanks to Jagadeesh Chandraiah and Ferenc László Nagy of SophosLabs for their behind-the-scenes work on this article.
Android users take note: spyware called Lipizzan has infected up to 100 devices and can monitor phone activity while extracting data from popular apps.
That doesn’t sound like a huge number of devices, but as researchers elsewhere have noted, this looks like targeted, precision malware rather than a broad data-stealing tool. Google’s Android Developers’ blog said that “Lipizzan’s code contains references to a cyberarms company, Equus Technologies”, whose LinkedIn page says it’s a company “specializing in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations”.
Lipizzan appeared on Google Play as an innocent-looking app with names like “Backup”, “Cleaner” and “Notes”.
Researchers described Lipizzan as a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. Twenty Lipizzan apps were distributed in a targeted fashion to 100 or so devices. Google has blocked the developers and apps from the Android ecosystem, and Google Play Protect has removed it from the infected phones.
Though Google’s response was swift, the spyware itself exemplifies the ever-increasing zeal malware creators are showing when it comes to targeting Android.
SophosLabs researchers have analyzed the spyware and painted the following picture:
In one of the samples, the stage-1 application appears as “Notes Plus” – an innocent-looking notes-taking application:
If you look carefully under assets, you can see that Lipizzan has an AES-encrypted zip file that is decrypted and loaded at runtime.
A stage-2 apk file does all the malicious activities and includes the spyware payload. The payload examined by SophosLabs received following commands:
It has the ability to:
- record calls,
- take snapshots,
- hijack the microphone, and
- capture the location.
In addition to monitoring your phone, it also fetches data from popular apps, SMS and call logs:
It targets data from the following applications:
- Call logs
You can see the data extraction code for Hangouts and whatsapp below:
Anti-debug and anti-VM
The stage-2 file is designed to make life difficult for security researchers by employing anti-debug and anti-emulator features to slow down analysis in test environments.
For anti-debug verification, it checks if adb is enabled. Researchers use adb to interact with Android devices from another computer.
The anti-emulator checks for the following:
- If Build_PRODUCT – sdk, google_sdk, sdk_x86 , vbox86p (AndroVM)
- If Build_MANUFACTURER – unknown, Genymotion (Popular Android Emulator)
- If Build.BRAND – generic , generic_x86
- If Build.DEVICE – generic, generic_x86, vbox86p
- If Build.MODEL- sdk, google_sdk, Android SDK built for x86
- If Build.HARDWARE – goldfish, vbox86
- If Build.FINGERPRINT – generic/sdk/generic, generic_x86/sdk_x86/generic_x86, generic/google_sdk/generic, generic/vbox86p/vbox86p
As noted above, Google has blocked the spyware from Google Play. Sophos detects it as Andr/Lipizan-A and has blocked it from customers.
The continued onslaught of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.
By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.