Google has removed about 20 Android apps from the Play Store after finding out that they contained a multi-stage spyware product for monitoring and extracting a user's sensitive data like e-mail, text messages, location information, media files etc.
Google was able to find that these apps were distributed in a targeted fashion to around 100 phones. The malicious apps could monitor and record your calls and take photos from your device's camera. Also they had the capability to monitor the users location and fetch device information and files. These potentially harmful apps could also retrieve data from encrypted services in the device like Viber, WhatsApp and Telegram
Google has dubbed this batch of malicious apps as Lipizzan and claimed that the apps contained references to Equus Technologies, a cyber arms company.
These Lipizzan apps operate in two stages. The first stage is to distribute the app as a 'cleaner' or 'backup' app through Google Play. The installed app would then load the device with a second "license verification" stage, which would validate the host device for certain abort criteria. After that the app would progress on to the second stage and root the device to exfiltrate the device's data onto a secure server controlled by the developer.
The researchers at Google were able to remove the Lipizzan apps using Google Play Protect and actively block all installs on new devices. Google Play Protect is a tool developed by Google that regularly scans the Play Store for Malware and harmful apps and warns of any security concerns. This disclosure form Google comes nearly a day before researchers at Sophos, an antivirus provider, told about two apps on Google Play that steal text messages.