Stealthy Google Play Apps Recorded Calls and Stole E-Mails and Texts

posted by martyb on Tuesday August 01, @02:24AM
Fnord666 writes:

Google has expelled 20 Android apps from its Play marketplace after finding they contained code for monitoring and extracting users' e-mail, text messages, locations, voice calls, and other sensitive data.

The apps, which made their way onto about 100 phones, exploited known vulnerabilities to "root" devices running older versions of Android. Root status allowed the apps to bypass security protections built into the mobile operating system. As a result, the apps were capable of surreptitiously accessing sensitive data stored, sent, or received by at least a dozen other apps, including Gmail, Hangouts, LinkedIn, and Messenger. The now-ejected apps also collected messages sent and received by Whatsapp, Telegram, and Viber, which all encrypt data in an attempt to make it harder for attackers to intercept messages while in transit.

To conceal their surveillance capabilities, the apps posed as utilities for cleaning unwanted files or backing up data. Google said the apps contained evidence that they were developed by a cyber arms company called Equus Technologies. In April, Google officials warned of a different family of Android surveillance apps developed by a different provider of intercept tools called NSO Group Technologies. Those apps were related to the advanced iOS spyware known as Pegasus, which was used against a political dissident located in the United Arab Emirates. In that case, however, the Pegasus-related Android apps never made their way into Google Play.

Source: https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts/

  • (Score: 2) by c0lo on Tuesday August 01, @03:54AM

    by c0lo (156) Subscriber Badge on Tuesday August 01, @03:54AM (#547509)

    Many Equus Software around, one start-up in Israel [forbes.com] is what you are looking for.

    Or read it from the horse's mouth [googleblog.com] - google employees blog (an unfortunate bringing the name of a nice horse breed [wikipedia.org] in disrepute, but who's still checking the trojan horse's mouth nowadays?):

    How does Lipizzan work?

    Getting on a target device

    Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup" or "Cleaner" app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

    Once implanted on a target device

    The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

    • Call recording
    • VOIP recording
    • Recording from the device microphone
    • Location monitoring
    • Taking screenshots
    • Taking photos with the device camera(s)
    • Fetching device information and files
    • Fetching user information (contacts, call logs, SMS, application-specific data)

    The PHA had specific routines to retrieve data from each of the following apps:

    • Gmail
    • Hangouts
    • KakaoTalk
    • LinkedIn
    • Messenger
    • Skype
    • Snapchat
    • StockEmail
    • Telegram
    • Threema
    • Viber
    • Whatsapp
