26 July 2017
Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan's code contains references to a cyber arms company, Equus Technologies.
Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.
We've enhanced Google Play Protect's capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.
Getting on a target device
Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.
Once implanted on a target device
The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:
The PHA had specific routines to retrieve data from each of the following apps:
|
|
We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.
public void uninstallParent() { android.util.Log.d("ApplicationsManager", "Removing parent application!"); com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("echo u:r:system_server:s0 > /proc/$$/attr/current; pm uninstall").append("com.app.instantbackup").toString()); com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -rf /data/data/").append("com.app.instantbackup").toString()); com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -Rf /data/data/").append("com.app.instantbackup").toString()); return; }
Morphing first stage
After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.
Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.
How many devices were affected?
There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.
What can you do to protect yourself?
Older version
Package Name | Latest App SHA 256 |
com.safe.datasaver | 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef |
com.and.goldbackup | 3a9f25b2ba38974b0eb8de76ad37abc77f7eb068e6880305cc1faaba4467d5cf |
com.star.backupstar | ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59 |
com.veramon.backupit | 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b |
com.copanga.backupplus | 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8 |
com.app.thunderbackup | 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712 |
com.kopos.nowbackup | 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9 |
com.appnow.backupdroid | 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e |
com.apptimus.androidbackuppro | b615936270d9dab3c29d7b0a3c1fc846f1f5d82570fb917849769f578cfaeb01 |
com.app.backupfast | 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322 |
com.app.instantbackup | a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2 |
Newer version
Package Name | Latest App SHA 256 |
com.sd.sdbackup | 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a |
com.app.procleaner | affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4 |
com.app.alarmmanager | fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541 |
com.app.soundrecorder | aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74 |
com.mem.notesplus | 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373 |
com.app.processcleaner | b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2 |
com.kobm.devicecleaner | 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c |
com.yonni.deviceoptimizer | 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef |
com.haima.ultracleaner | af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea |
Package Name | Latest App SHA 256 |
com.android.mediaserver | 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da |