Android malware is not a new term for us and malware reaching the Play Store
is not something new. As infected apps are being detected on a regular basis, Google has highlighted one particular malware which it managed to deal before any substantial damage was caused, all thanks to the recently launched Google Play protect security feature.
An exhaustive analysis of the malware has revealed that apps managed to get past Google’s filters and become available for download in the Play Store using a new approach which relies on a two-stage infection process.
“The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a ‘Backup’ or ‘Cleaner’ app,” Google explains.
“Upon installation, Lipizzan would download and load a second ‘license verification’ stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.”
Once the device got infected, the spyware had the ability to record calls and even sound from the device microphone, track the location, take screenshots and photos with the camera, fetch device information and user details like calls, contacts text messages, and app data. The spyware could target applications like WhatsApp, Gmail, Skype, and Telegram.
Google stated that fewer than 100 devices were infected, which accounts for 0.000007% Android devices, and the company managed to remove the infection with Google Play Protect completely, while also simultaneously blocking the install on other devices.
