Android Dev Team Find Lipizzan Malware Early On

Google's internal Android development team announced that it has stumbled across an unreleased Android malware called Lipizzan, and managed to get it blocked it before it had a chance to fully go public. Specifically, Google found all 20 apps containing code for Lipizzan, which had only hit 100 devices in total at the time, and remove all of those apps from the Play Store, as well as banning the developers behind them. Lippizan was actually found during research to ferret out and figure out how to block the Chrysaor malware that surfaced briefly back in April. It didn't take Google's team very long to get rid of the errant malware, but during the course of that research, the team managed to find Lipizzan, and it has now been fully reverse-engineered and blocked in Android as of the latest security update.

The codebase for Lippizan did not explicitly state who it was written by, but did contain some references to Equus Technologies, an international tech company that seems to have multiple specialties, including engineering cyber attack and defense utilities. The malware would use an innocent-looking dummy app to download a second stage, presented to the user as license verification in most cases, which would run additional checks. If the device was suitable, an exploit would be used to gain root access, then the malware could actually start to work. The part of the malware that actually grabbed user data posed as Android's built-in Mediaserver program, and had specifically crafted bits of code made to grab information from certain services like Facebook Messenger, Hangouts, and Gmail, which typically contain or handle sensitive user information like passwords.

Thanks to the research involved in finding and blocking Chrysaor and Lipizzan, Google Play Protect has been enhanced with an entirely new framework made specifically to catch these sorts of targeted, two-stage malware programs. Before, these could wind up on the Play Store looking fairly innocent, and end up staying there a while because they didn't actually do anything malicious in and of themselves. With the updates made to Google Play Protect, apps that ask the user to download anything can now be checked over to ensure that what they're downloading does not have any malicious instructions or phone home to a control server for potentially malicious instructions.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author

Daniel Fuller

Senior Staff Writer
Daniel has been writing for Android Headlines since 2015, and is one of the site's Senior Staff Writers. He's been living the Android life since 2010, and has been interested in technology of all sorts since childhood. His personal, educational and professional backgrounds in computer science, gaming, literature, and music leave him uniquely equipped to handle a wide range of news topics for the site. These include the likes of machine learning, voice assistants, AI technology development, and hot gaming news in the Android world. Contact him at [email protected]