Google blocks Lipizzan Android spyware found while investigating Chrysaor spyware

A new batch of spyware named ‘Lipizzan’ that could capture users’ text messages, voice calls, location data and photos has been discovered and blocked by Google. The company, in a blog post, said it discovered a new family of Android spyware while investigating another spyware named ‘Chrysaor’. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.  It is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls and media. “We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps,” the post read. ‘Lipizzan’ spyware was capable of performing tasks that include taking screensots, taking pictures with the device camera, recording from the device’s microphone, call recording and location monitoring. Lipizzan was a sophisticated two-stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a “Backup” or “Cleaner” app. Upon installation, ‘Lipizzan’ would download and load a second “license verification” stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a command and control server, the post said.