Google's internal Android development team announced that it has stumbled across an unreleased Android malware called Lipizzan, and managed to get it blocked it before it had a chance to fully go public. Specifically, Google found all 20 apps containing code for Lipizzan, which had only hit 100 devices in total at the time, and remove all of those apps from the Play Store, as well as banning the developers behind them. Lippizan was actually found during research to ferret out and figure out how to block the Chrysaor malware that surfaced briefly back in April. It didn't take Google's team very long to get rid of the errant malware, but during the course of that research, the team managed to find Lipizzan, and it has now been fully reverse-engineered and blocked in Android as of the latest security update.
The codebase for Lippizan did not explicitly state who it was written by, but did contain some references to Equus Technologies, an international tech company that seems to have multiple specialties, including engineering cyber attack and defense utilities. The malware would use an innocent-looking dummy app to download a second stage, presented to the user as license verification in most cases, which would run additional checks. If the device was suitable, an exploit would be used to gain root access, then the malware could actually start to work. The part of the malware that actually grabbed user data posed as Android's built-in Mediaserver program, and had specifically crafted bits of code made to grab information from certain services like Facebook Messenger, Hangouts, and Gmail, which typically contain or handle sensitive user information like passwords.
Thanks to the research involved in finding and blocking Chrysaor and Lipizzan, Google Play Protect has been enhanced with an entirely new framework made specifically to catch these sorts of targeted, two-stage malware programs. Before, these could wind up on the Play Store looking fairly innocent, and end up staying there a while because they didn't actually do anything malicious in and of themselves. With the updates made to Google Play Protect, apps that ask the user to download anything can now be checked over to ensure that what they're downloading does not have any malicious instructions or phone home to a control server for potentially malicious instructions.