It is always a good thing when you can catch an issue before it is too late and that is exactly what Google was able to do when it caught Android malware before it was able to get out to its customers.
Google officials said it came across a new form of Android spyware called Lipizzan which the company said is linked to an Israeli company working with governments and intelligence agencies across the world.
Applications were able to get past Google’s filters and become available for download in the Google Play Store using a new approach that relies on two-stage infection process, researchers said in a blog post.
That is where Google’s new Google Play Protect came into play.
“The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a ‘Backup’ or ‘Cleaner’ app,” Google researchers said.
“Upon installation, Lipizzan would download and load a second ‘license verification’ stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.”
Once it infected a device, the spyware could record calls and even sound from the device microphone, track the location, take screenshots and photos with the camera, fetch device information and user details like calls, contacts, text messages, and app data.
After blocking the first wave of apps infected with this spyware, cybercriminals attempted to upload a second batch of infected apps but with some tweaks to bypass Play Store filters, including new names and encrypted stage 2 process.
Google said fewer than 100 devices suffered from the infection. Google said it removed the infection with Google Play Protect completely, while also blocking the install on other devices.