News Categories

20 bad apps found on Google Play Store, thousands of devices could be affected

By Ciara Alarcon & Liu Hongzuo - on 2 Aug 2017, 6:30pm

20 bad apps found on Google Play Store, thousands of devices could be affected

Google has removed 20 apps from its Google Play store after it discovered that these apps contain code that could extract emails, text messages, location data, voice calls, and more.

Downloaded on about 100 smartphones, according to Ars Technica, the code exploits a known vulnerability that gives up root access to the app, allowing it to bypass security options that are built into the Android OS itself. This allowed the malicious apps to listen in to apps like Gmail, Hangouts, LinkedIn, and Messenger.  It could also collect data from messages sent and received by WhatsApp, Telegram, KakaoTalk, Skype, Snapchat, and Viber.

Google observes the malware in action via the injected code. Image credit: Google

The 20 malicious apps also have functions that affected other stock features found on a typical smartphone. They could record calls, VOIP, and the device’s microphone. They can also take screenshots and photos using a phone’s camera, and retrieve device and user information. These apps masqueraded as phone-cleaning utility apps on the Play store.

According to Google’s security PSA, the malicious code falls under a spyware family called Lipizzan, and it contained references to Equus Technologies, a cyber-arms firm. The Lipizzan spyware works in two stages. After it rides into the Google Play store by skirting around the Google Play Protect security system, the spyware apps are downloaded and installed by users, and the apps get approval to root the device using known exploits. Once the phone is properly infected, it will begin to push data to the spyware’s mother-server. As mentioned above, the offending apps are now gone from the Play Store.

A (possibly unrelated) malware discovery by cyber security firm Sophos, 12 hours after Google's Lipizzan PSA. Image credit: Sophos.

Ars Technica also saw cyber security firm Sophos announcing a new batch of SMS-stealing apps on the Play store shortly after Google’s PSA. Going by their identifier names, the Sophos finding seems unrelated to Lipizzan, and these malicious apps have 100,000 to 500,000 downloads in total so far.

Source: Google (via Ars Technica), Sophos (blog)