Spyware companies make a profit by developing sophisticated software that can stealthily bypass the security of computers, smartphones and tablets and, as a result, they are routinely contracted by well-funded governments, intelligence agencies and large corporations.
Of course, vendors aren't always happy about someone hacking into their products and putting their customers at risk. Google, one of the most powerful technology firms in the world, just discovered a sophisticated new form of spyware hitting its Android operating system (OS).
Dubbed "Lipizzan", Google uncovered evidence it had links to an Israeli cyber-arms company called Equus Technologies and, upon analysis, found that it could spy on a slew of accounts including Gmail, Snapchat, LinkedIn, WhatsApp, Skype and more.
"Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls and media," a Google blog post stated, published on 26 July.
"We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem.
"Google Play Protect has notified all affected devices and removed the Lipizzan apps."
Lipizzan was able to infiltrate and be distributed on Google Play, the official marketplace for applications, by posing as a "backup" or "cleaner" service. The second stage of infection had the ability to root the device with known exploits and send data to the hackers' sever.
Once implanted on an Android device, the spyware had a variety of snooping tactics. These included call recording, VoIP recording, location monitoring, taking screenshots in real-time, taking photographs and fetching user information like contacts, call logs and texts.
"After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences," explained threat researchers Megan Ruthven, Ken Bodzak and Neel Mehta in a joint post, describing how the campaign was able to remain active.
"The apps changed from 'backup' apps to looking like a 'cleaner', 'notepad', 'sound recorder', and 'alarm manager' app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
"Despite changing the type of application and the method [...] we were able to catch the new implant apps soon after upload."
Luckily, the spyware was caught early, with fewer than 100 devices affected in total.
"Since we identified Lipizzan, Google Play Protect removed [the spyware] from affected devices and actively blocks installs on new devices," the researchers wrote.
According to its LinkedIn page, Equus Technologies is a "privately held company specialising in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations" founded in 2014.
Based on the limited spread, it's unlikely the spyware has ever impacted general Android users. Mobile exploits of this nature are costly to produce, even more expensive to purchase, and are typically only used to infect a victim's device in an extremely targeted fashion.
It remains unknown who the spyware targeted and who was behind the initial infections.
Nevertheless, Google has released a number of tips on how to stay protected:
- Ensure you are opted into Google Play Protect.
- Exclusively use the Google Play store.
- Keep "unknown sources" disabled while not using it.
- Keep your phone patched to the latest Android security update.