News
News Categories

20 malicious apps removed from Google Play for recording calls, collecting e-mails and messages

By Michael Low & Liu Hongzuo - on 28 Jul 2017, 2:30pm

20 malicious apps removed from Google Play for recording calls, collecting e-mails and messages

20 apps were removed from the Google Play store after it was discovered that they contained code that could extract e-mails, text messages, location data, voice calls, and more.

Prior to its discovery, the apps permeated about 100 smartphones. According to Ars Technica, the code exploits a known vulnerability that gives up root access to the app, allowing it to bypass security options that are built into the Android OS itself. This allowed the malicious apps to listen in to apps like Gmail, Hangouts, LinkedIn, and Messenger.  It could also collect data from messages sent and received by WhatsApp, Telegram, KakaoTalk, Skype, Snapchat, and Viber (some of these apps do encrypt data to make such attacks harder).

Google observes the malware in action via the injected code. <br>Image credit: Google.

The 20 malicious apps also had functions that affected other stock features found on a typical smartphone. They could record calls, VOIP, and the device’s microphone. It can also take screenshots and photos using a phone’s camera, and retrieve both device and user information. These apps masqueraded as phone-cleaning utility apps on the Play store.

According to Google’s security PSA, the malicious code falls under a spyware family called Lipizzan, and it contained references to Equus Technologies, a cyber-arms firm (editorial note: they seem obsessed with horse terminologies). The Lipizzan spyware works in two stages. After it rides into the Google Play store by skirting around the Google Play Protect security system, the spyware apps are downloaded and installed by users, and the apps get approval to root the device using known exploits. Once the phone is properly infected, it will begin to push data to the spyware’s mother-server. As mentioned above, the offending apps are now gone from the Play Store.

A (possibly unrelated) malware discovery by cyber security firm Sophos, 12 hours after Google's Lipizzan PSA. <br>Image credit: Sophos.

Ars Technica also saw cyber security firm Sophos announcing a new batch of SMS-stealing apps on the Play store shortly after Google’s PSA. Going by their identifier names, the Sophos finding seems unrelated to Lipizzan, and these malicious apps have 100,000 to 500,000 downloads in total so far.

If you want to read more about horses like the Lipizzan, try Wikipedia.

Source: Google (via Ars Technica), Sophos (blog)