Google security researchers claim to have discovered a new spyware family which appears to have been developed by a “cyber arms” vendor for use by state snoopers.
The malware, dubbed Lipizzan, includes references in its code to Israeli start-up Equus Technologies, which claims on a sparse LinkedIn page to develop “tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations”.
Google explained the following on its Android Developers Blog:
“Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.”
The two stage tool was apparently distributed through multiple channels including Google Play, masquerading as legitimate apps with innocuous sounding names such as "Backup" or "Cleaner".
On installation, it downloads a “license verification” element to check the device is the correct target, or else abort.
If the device gets the green light the malware will root it with known exploits and exfiltrate data to a C&C server, Google explained.
There are instructions to monitor and lift data from a list of 12 apps including Gmail, Hangouts, Snapchat, WhatsApp, Viber, LinkedIn, Messenger and more.
The find comes on the heels of Google’s detection of Chrysoar spyware; thought to have been produced by another Israeli cyber arms dealer, NSO Group.
That firm has also been linked to the infamous Pegasus spyware, described by Citizen Lab as a “a government-exclusive ‘lawful intercept’ spyware product”.
The trade in such tools, developed for use by states often against dissidents and rights activists, is a thriving but little documented corner of the cybersecurity industry.