Tag Archives: spyware

Guidance to developers affected by our effort to block less secure browsers and applications

Posted by Lillan Marie Agerup, Product Manager

We are always working to improve security protections of Google accounts. Our security systems automatically detect, alert and help protect our users against a range of security threats. One form of phishing, known as “man-in-the-middle”, is hard to detect when an embedded browser framework (e.g., Chromium Embedded Framework - CEF) or another automation platform is being used for authentication. MITM presents an authentication flow on these platforms and intercepts the communications between a user and Google to gather the user’s credentials (including the second factor in some cases) and sign in. To protect our users from these types of attacks Google Account sign-ins from all embedded frameworks will be blocked starting on January 4, 2021. This block affects CEF-based apps and other non-supported browsers.

To minimize the disruption of service to our partners, we are providing this information to help developers set up OAuth 2.0 flows in supported user-agents. The information in this document outlines the following:

  • How to enable sign-in on your embedded framework-based apps using browser-based OAuth 2.0 flows.
  • How to test for compatibility.

Apps that use embedded frameworks

If you're an app developer and use CEF or other clients for authorization on devices, use browser-based OAuth 2.0 flows. Alternatively, you can use a compatible full native browser for sign-in.

For limited-input device applications, such as applications that do not have access to a browser or have limited input capabilities, use limited-input device OAuth 2.0 flows.

Browsers

Modern browsers with security updates will continue to be supported.

Browser standards

The browser must have JavaScript enabled. For more details, see our previous blog post.

The browser must not proxy or alter the network communication. Your browser must not do any of the following:

  • Server-side rendering
  • HTTPS proxy
  • Replay requests
  • Rewrite HTTP headers

The browser must have a reasonably complete implementation of web standards and browser features. You must confirm that your browser does not contain any of the following:

  • Headless browsers
  • Node.js
  • Text-based browsers

The browser must identify itself clearly in the User-Agent. The browser must not try to impersonate another browser like Chrome or Firefox.

The browser must not provide automation features. This includes scripts that automate keystrokes or clicks, especially to perform automatic sign-ins. We do not allow sign-in from browsers based on frameworks like CEF or Embedded Internet Explorer.

Test for compatibility

If you're a developer that currently uses CEF for sign-in, be aware that support for this type of authentication ends on January 4, 2021. To verify whether you'll be affected by the change, test your application for compatibility. To test your application, add a specific HTTP header and value to disable the allowlist. The following steps explain how to disable the allowlist:

  1. Go to where you send requests to accounts.google.com.
  2. Add Google-Accounts-Check-OAuth-Login:true to your HTTP request headers.

The following example details how to disable the allowlist in CEF.

Note: You can add your custom headers in CefRequestHandler#OnBeforeResourceLoad. 

    CefRequest::HeaderMap hdrMap;
    request->GetHeaderMap(hdrMap);
    hdrMap.insert(std::make_pair("Google-Accounts-Check-OAuth-Login", "true"));

To test manually in Chrome, use ModHeader to set the header. The header enables the changes for that particular request.

Setting the header using ModHeader

Related content

See our previous blog post about protection against man-in-the-middle phishing attacks.

From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)


The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.



Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?




  • Ensure you are opted into Google Play Protect
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.


List of samples

1st stage



Newer version 


Standalone 2nd stage



From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan's code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We've enhanced Google Play Protect's capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications. 

public void uninstallParent() { 
    android.util.Log.d("ApplicationsManager", "Removing parent application!");
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("echo u:r:system_server:s0 > /proc/$$/attr/current; pm uninstall").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -rf /data/data/").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -Rf /data/data/").append("com.app.instantbackup").toString());
    return;
}

Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

  • The apps changed from 'backup' apps to looking like a "cleaner", "notepad", "sound recorder", and "alarm manager" app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
  • The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep "unknown sources" disabled while not using it.
  • Keep your phone patched to the latest Android security update.

List of samples

1st stage

Older version

Package Name Latest App SHA 256
com.safe.datasaver 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef
com.and.goldbackup 3a9f25b2ba38974b0eb8de76ad37abc77f7eb068e6880305cc1faaba4467d5cf
com.star.backupstar ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59
com.veramon.backupit 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b
com.copanga.backupplus 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8
com.app.thunderbackup 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712
com.kopos.nowbackup 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9
com.appnow.backupdroid 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e
com.apptimus.androidbackuppro b615936270d9dab3c29d7b0a3c1fc846f1f5d82570fb917849769f578cfaeb01
com.app.backupfast 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322
com.app.instantbackup a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2

Newer version

Package Name Latest App SHA 256
com.sd.sdbackup 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a
com.app.procleaner affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4
com.app.alarmmanager fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541
com.app.soundrecorder aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74
com.mem.notesplus 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373
com.app.processcleaner b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2
com.kobm.devicecleaner 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c
com.yonni.deviceoptimizer 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef
com.haima.ultracleaner af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea

Standalone 2nd stage

Package Name Latest App SHA 256
com.android.mediaserver 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da

From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan's code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We've enhanced Google Play Protect's capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications. 

public void uninstallParent() { 
    android.util.Log.d("ApplicationsManager", "Removing parent application!");
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("echo u:r:system_server:s0 > /proc/$$/attr/current; pm uninstall").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -rf /data/data/").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -Rf /data/data/").append("com.app.instantbackup").toString());
    return;
}

Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

  • The apps changed from 'backup' apps to looking like a "cleaner", "notepad", "sound recorder", and "alarm manager" app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
  • The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep "unknown sources" disabled while not using it.
  • Keep your phone patched to the latest Android security update.

List of samples

1st stage

Older version

Package Name Latest App SHA 256
com.safe.datasaver 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef
com.and.goldbackup 3a9f25b2ba38974b0eb8de76ad37abc77f7eb068e6880305cc1faaba4467d5cf
com.star.backupstar ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59
com.veramon.backupit 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b
com.copanga.backupplus 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8
com.app.thunderbackup 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712
com.kopos.nowbackup 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9
com.appnow.backupdroid 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e
com.apptimus.androidbackuppro b615936270d9dab3c29d7b0a3c1fc846f1f5d82570fb917849769f578cfaeb01
com.app.backupfast 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322
com.app.instantbackup a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2

Newer version

Package Name Latest App SHA 256
com.sd.sdbackup 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a
com.app.procleaner affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4
com.app.alarmmanager fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541
com.app.soundrecorder aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74
com.mem.notesplus 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373
com.app.processcleaner b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2
com.kobm.devicecleaner 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c
com.yonni.deviceoptimizer 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef
com.haima.ultracleaner af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea

Standalone 2nd stage

Package Name Latest App SHA 256
com.android.mediaserver 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da

From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan's code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We've enhanced Google Play Protect's capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications. 

public void uninstallParent() { 
    android.util.Log.d("ApplicationsManager", "Removing parent application!");
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("echo u:r:system_server:s0 > /proc/$$/attr/current; pm uninstall").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -rf /data/data/").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -Rf /data/data/").append("com.app.instantbackup").toString());
    return;
}

Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

  • The apps changed from 'backup' apps to looking like a "cleaner", "notepad", "sound recorder", and "alarm manager" app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
  • The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep "unknown sources" disabled while not using it.
  • Keep your phone patched to the latest Android security update.

List of samples

1st stage

Older version

Package Name Latest App SHA 256
com.safe.datasaver 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef
com.and.goldbackup 3a9f25b2ba38974b0eb8de76ad37abc77f7eb068e6880305cc1faaba4467d5cf
com.star.backupstar ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59
com.veramon.backupit 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b
com.copanga.backupplus 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8
com.app.thunderbackup 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712
com.kopos.nowbackup 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9
com.appnow.backupdroid 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e
com.apptimus.androidbackuppro b615936270d9dab3c29d7b0a3c1fc846f1f5d82570fb917849769f578cfaeb01
com.app.backupfast 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322
com.app.instantbackup a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2

Newer version

Package Name Latest App SHA 256
com.sd.sdbackup 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a
com.app.procleaner affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4
com.app.alarmmanager fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541
com.app.soundrecorder aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74
com.mem.notesplus 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373
com.app.processcleaner b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2
com.kobm.devicecleaner 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c
com.yonni.deviceoptimizer 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef
com.haima.ultracleaner af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea

Standalone 2nd stage

Package Name Latest App SHA 256
com.android.mediaserver 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da

From Chrysaor to Lipizzan: Blocking a new targeted spyware family

Posted by Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan's code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user's email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We've enhanced Google Play Protect's capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)

The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications. 

public void uninstallParent() { 
    android.util.Log.d("ApplicationsManager", "Removing parent application!");
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("echo u:r:system_server:s0 > /proc/$$/attr/current; pm uninstall").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -rf /data/data/").append("com.app.instantbackup").toString());
    com.android.mediaserver.shell.Shell$SU.run(new StringBuilder().append("").append("rm -Rf /data/data/").append("com.app.instantbackup").toString());
    return;
}

Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

  • The apps changed from 'backup' apps to looking like a "cleaner", "notepad", "sound recorder", and "alarm manager" app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
  • The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?

  • Ensure you are opted into Google Play Protect.
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep "unknown sources" disabled while not using it.
  • Keep your phone patched to the latest Android security update.

List of samples

1st stage

Older version

Package Name Latest App SHA 256
com.safe.datasaver 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef
com.and.goldbackup 3a9f25b2ba38974b0eb8de76ad37abc77f7eb068e6880305cc1faaba4467d5cf
com.star.backupstar ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59
com.veramon.backupit 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b
com.copanga.backupplus 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8
com.app.thunderbackup 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712
com.kopos.nowbackup 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9
com.appnow.backupdroid 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e
com.apptimus.androidbackuppro b615936270d9dab3c29d7b0a3c1fc846f1f5d82570fb917849769f578cfaeb01
com.app.backupfast 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322
com.app.instantbackup a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2

Newer version

Package Name Latest App SHA 256
com.sd.sdbackup 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a
com.app.procleaner affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4
com.app.alarmmanager fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541
com.app.soundrecorder aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74
com.mem.notesplus 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373
com.app.processcleaner b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2
com.kobm.devicecleaner 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c
com.yonni.deviceoptimizer 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef
com.haima.ultracleaner af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea

Standalone 2nd stage

Package Name Latest App SHA 256
com.android.mediaserver 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da