Blocking a new targeted spyware family


Posted through Megan Ruthven Android Security, Ken Bodzak Threat Analysis Group, Neel Mehta Threat Analysis Group

Android Security is at all times creating new techniques of the use of information to seek out and block
doubtlessly destructive apps (PHAs) from getting onto your units. Earlier this
12 months, we
announced
we had blocked Chrysaor targeted spyware, believed to be written
through NSO Group, a cyber palms corporate. In the process our Chrysaor investigation,
we used equivalent ways to find a new and unrelated family of spyware
known as Lipizzan. Lipizzan’s code incorporates references to a cyber palms corporate,
Equus Technologies.

Lipizzan is a multi-stage spyware product able to tracking and exfiltrating
a consumer’s e-mail, SMS messages, location, voice calls, and media. We have discovered 20
Lipizzan apps dispensed in a targeted model to fewer than 100 units in
overall and feature blocked the builders and apps from the Android ecosystem.
Google Play Protect has notified all affected units and got rid of the Lipizzan
apps.

We’ve enhanced Google Play Protect’s functions to hit upon the targeted spyware
used right here and can proceed to make use of this framework to dam extra targeted
spyware. To be told extra concerning the strategies Google makes use of to seek out targeted cellular
spyware like Chrysaor and Lipizzan, attend our BlackHat communicate, Fighting
Targeted Malware in the Mobile Ecosystem
.

How does Lipizzan paintings?

Getting on a goal tool

Lipizzan used to be a subtle two level spyware software. The first level discovered through
Google Play Protect used to be dispensed thru a number of channels, together with Google
Play, and in most cases impersonated an innocuous-sounding app reminiscent of a “Backup” or
“Cleaner” app. Upon set up, Lipizzan would obtain and cargo a 2d
“license verification” level, which might survey the inflamed tool and
validate sure abort standards. If given the all-clear, the second one level would
then root the tool with recognized exploits and start to exfiltrate tool information to
a Command & Control server.

Once implanted on a goal tool

The Lipizzan 2d level used to be able to acting and exfiltrating the consequences
of the next duties:

  • Call recording
  • VOIP recording
  • Recording from the tool microphone
  • Location tracking
  • Taking screenshots
  • Taking footage with the tool digital camera(s)
  • Fetching tool data and information
  • Fetching consumer data (contacts, name logs, SMS, application-specific
    information)

The PHA had particular routines to retrieve information from every of the next apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • RelatedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We noticed all of this habits on a standalone level 2 app, com.android.mediaserver
(no longer associated with Android
MediaServer
). This app shared a signing certificates with probably the most level 1
packages, com.app.instantbackup, indicating the similar writer wrote the 2.
We may just use the next code snippet from the 2d level
(com.android.mediaserver) to attract ties to the level 1 packages.

public void uninstallParent() 

Morphing first level

After we blocked the primary set of apps on Google Play, new apps have been uploaded
with a equivalent structure however had a couple of variations.

  • The apps modified from ‘backup’ apps to having a look like a “cleaner”, “notepad”,
    “sound recorder”, and “alarm manager” app. The new apps have been uploaded inside of a
    week of the takedown, appearing that the authors have a way of simply converting
    the branding of the implant apps.
  • The app modified from downloading an unencrypted level 2 to together with level 2
    as an encrypted blob. The new level 1 would handiest decrypt and cargo the 2d level
    if it won an intent with an AES key and IV.

Despite converting the kind of app and the strategy to obtain level 2, we have been
in a position to catch the new implant apps quickly after add.

How many units have been affected?

There have been fewer than 100 units that checked into Google Play Protect with the
apps indexed beneath. That approach the family affected handiest zero.000007% of Android
units. Since we recognized Lipizzan, Google Play Protect got rid of Lipizzan from
affected units and actively blocks installs on new units.

What are you able to do to give protection to your self?

  • Ensure you’re opted into Google Play Protect.
  • Exclusively use the Google Play retailer. The likelihood you’re going to set up a PHA is
    a lot decrease on Google Play than the use of different set up mechanisms.
  • Keep “unknown sources” disabled whilst no longer the use of it.
  • Keep your telephone patched to the most recent Android safety replace.

List of samples

1st level

Older model

Package Name Latest App SHA 256
com.secure.datasaver 5d6a8c9c335edaf0b5d010f30e9fc9cea1e7a19d8c4e888079d6a6a4bae5aaef
com.and.goldbackup 3a9f25b2ba38974b0eb8de76advert37abc77f7eb068e6880305cc1faaba4467d5cf
com.famous person.backupstar ed4f693ea491ab0c455499fbaeddec70652b506f778130b43101b2496669fe59
com.veramon.backupit 27971324142ae23aad3f7e95e7eb1b85a7f08b39b4a4d27aab177669e875791b
com.copanga.backupplus 726b91193469513405b95f0c20cb0ec94396ce317ac0f763e98af949186630f8
com.app.thunderbackup 99282aa2d17a341d88a6e1944149639bcc8f711cdcd134a455b0c25951111712
com.kopos.nowbackup 48305da03403990395afb159c56370d204b0e32343f3b0790b640653ee79e5c9
com.appnow.backupdroid 35896010e204b064e313204d525185586924b31a0804d0512ba5467fc95cb35e
com.apptimus.androidbackuppro b615936270d9dab3c29d7b0a3c1fc846f1f5d82570facebook917849769f578cfaeb01
com.app.backupfast 9efa83579e769f73793e138d79d15aa5b96e42c58b568eab00edece6219e2322
com.app.instantbackup a5f266864b341f8558aacdee1a38fe4b95a9035bf9c0c1d7761e23de2181dcf2

Newer model

Package Name Latest App SHA 256
com.sd.sdbackup 8ebe42ce2c03e56cb97bb2dc1be47a4226899d6f648c30eecb19e32a7867657a
com.app.procleaner affc95a6db70b62b4252fe5da4016ae873b33e645147f06f12a33c9dc5305ae4
com.app.alarmmanager fe121da2a53632ba2b617eae26c72b685ed4853a6b3f9fd223af11a1042c3541
com.app.soundrecorder aa4445023df7b203e8078858b502d1082647c815b24c3335a58347bc98b79c74
com.mem.notesplus 24aa8a2f2fbbbe82b89076bf1981bdedb7ecb4baa9e036993504e8309269b373
com.app.processcleaner b2eca848730d41c2e8001ec7316352343b84327d59e193aacdcd0d01aceb79f2
com.kobm.devicecleaner 6ddad8d049fd25e06b84de013dfec7e1bb09abca78604305b9ae1df6c4145e5c
com.yonni.deviceoptimizer 2f8fab18374080ac42422e5e79a693438b81f95f76de5f2f34cd2a0c882f06ef
com.haima.ultracleaner af7f90809d4e3bf160ccf4a219012f9dac283657f57b812733022f4a966428ea

Standalone 2d level

Package Name Latest App SHA 256
com.android.mediaserver 1ba8d5f45e8cd545cc3b919bea80e7bd5c6c85fc822f52edc0669191536d43da



Source link

Reply