Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users’ e-mail, text messages, locations, voice calls, and other sensitive data.
The apps, which made their way onto about 100 phones, exploited known vulnerabilities to “root” devices running older versions of Android. Root status allowed the apps to bypass security protections built into the mobile operating system. As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit.
The apps also contained functions allowing for:
- Call recording
- VOIP recording
- Recording from the device microphone
- Location monitoring
- Taking screenshots
- Taking photos with the device camera(s)
- Fetching device information and files
- Fetching user information (contacts, call logs, SMS, application-specific data)
To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data. Google said the apps contained evidence that they were developed by a cyber arms company called Equus Technologies. In April, Google officials warned of a different family of Android surveillance apps developed by a different provider of intercept tools called NSO Group Technologies. Those apps were related to the advanced iOS spyware known as Pegasus, which was used against a political dissident located in the United Arab Emirates. In that case, however, the Pegasus-related Android apps never made their way into Google Play.Google has dubbed the new batch of surveillance apps “Lipizzan.” In a blog post published Wednesday, company researchers said they were a two-stage tool. The first stage was distributed through Google Play and other channels and usually masqueraded as a legitimate app. Once installed, the apps would download and load a second stage involving some sort of license verification. This second stage would survey the infected device. Depending on the results, the second stage would then root the device and begin to exfiltrate device data to a server controlled by the developers.
Google researchers discovered the apps using techniques they developed during their investigation of the Pegasus-related apps. The techniques involved Google Play Protect, a tool that regularly scans previously installed apps and warns of any security concerns. After the researchers blocked an earlier set of apps on Google Play, the developers uploaded a new set of apps with a similar format but a couple of differences in an attempt to work around the purge. The Google researchers quickly spotted the new batch and removed those as well.
Google’s disclosure came about 12 hours before researchers from antivirus provider Sophos documented two apps on Google Play that also steal text messages. One app poses as an app store shortcut feature, and the other masquerades as an app for a “Skin Care Magazine.” They worked by downloading a plug-in. Together, they had received 100,000 to 500,000 downloads.
Post updated to add the last paragraph.