Lippizan Spyware Discovered

Google’s Android security team have discovered and new and immensely powerful spyware termed Lippizan. Google claims the spyware was created by Equus Group, an Israeli based company who by their own account specializes in the development of “…of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organizations.” Lippizan appears to be a targeted malware infecting a small selection of apps upon Google Play. Google states that their experts noticed the malware and intervened and removed the infected apps. The new security feature, Google Play Protect, was used to remove the infected apps. According to Google, this new feature allows for users to use the app store with peace of mind by applying even stricter controls on the uploading of apps.

How Lippizan managed to infect devices

Google confirmed that only 20 apps were infected and the malware could only be found on fewer than a hundred mobile devices. Lippizan used a classic trick to bypass Google’s Bouncer security system by utilizing a two stage deployment. The first stage included Lippizan laced apps which used legitimate code to defect detection by Google’s Bouncer security system. The second stage occurs when asked to complete a license verification step. The second step also includes the spyware scanning the mobile device for certain data types. Once the checks are passed the spyware roots the victim’s mobile device using known exploit packages.

lippizan spyware discovered

Once Lippizan has gained root privileges the spyware is able to do the following:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)
  • Retrieve data from each of the following apps:  Gmail, Hangouts, KakaoTalk, LinkedIn, Messenger, Skype, Snapchat, StockEmail, Telegram, Threema, Viber, and Whatsapp.

Google also confirmed that the spyware struck in two waves. The second wave featured some modifications to the second stage implementation, this could possibly mean that those controlling the spyware were aware of the initial detection by Google security experts and were developing new ways to bypass the security system. As of yet, the reasons for developing and executing Lippizan remain unclear.

Brief history of Israeli cyber arms companies developing spyware

In April of this year, Google discovered Chrysaor which was developed by the Israeli company NSO Group. The same company which developed Pegasus. Pegasus, as it turned out, was the iOS version of Chrysaor and vice versa. Chrysaor’s features were incredibly similar to Pegasus and included:

  • Keylogging features
  • Ability to silently answer phone calls and listen in on conversations (Users see a black screen and if they unlock the phone, the phone call is dropped immediately)
  • Ability to take screenshots of the user's screen
  • Ability to spy on users via the front and rear cameras
  • Usage of the ContentObserver framework to gather any updates to apps such as SMS, Calendar, Contacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype
  • Ability to collect data such as SMS settings, SMS messages, call logs, browser history, calendars, contacts, and emails
  • Ability to steal messages from apps such as WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype
  • Usage of alarm functionality to repeat malicious actions at certain intervals
  • Ability to install itself in the /system folder to survive factory resets
  • Ability to sabotage the phone's self-update features
  • Ability to disable WAP push messages to hinder forensics operations
  • Ability to delete itself when instructed or when the C&C server goes dormant

Most of the above-mentioned features could be turned on by HTTP request to the threat actor’s C&C server or via an SMS message. Chrysoar like Pegasus was used in incredibly targeted attacks with NSO Group never responding to the accusations.

The cyber security company, Lookout, in their in depth analysis of Pegasus concluded:

We rely on mobile devices to both store our digital assets and give us access to them. Our phones are always with us and have become a main form of voice, video- and messaging-based communication. This makes our mobile devices highly valuable targets for motivated attackers.
NSO Group reportedly has hundreds of employees and makes millions of dollars in annual revenue, effectively as a cyber arms dealer, from the sale of its sophisticated mobile attack software. NSO is only one example of this type of cyber mercenary: we know that it is not the only one, as we’ve seen with the Hacking Team, Finfisher, and other organizations that compete in this space.
While this report is focused on the iOS version of the software, Lookout and Citizen Lab are aware that NSO Group advertises Android and Blackberry versions and are investigating those as well.
This report shows the importance of keeping our devices up to date with the latest patches and exercising vigilance with the security of our mobile devices.

One can only draw similar conclusions to the modus operandi of Equus Group as a cyber arms company as well as the obvious benefits to remaining vigilant and educated to not only the threats posed by cyber crime but cyber espionage as well.