Android security issues have long been debated, namely the hot issue of just how exposed you are if you use nothing but Google Play. It’s true: most malware and spyware requires initial action on the user’s part to get going, and the first action, in any case, is typically downloading third-party apps from untrusted sources.
That’s not to say bad Apple’s can find their way to Google Play — they have before, and in fact, they have just recently — but Google is typically quick to find and eliminate these apps. They not only remove them from Google Play but also remove them from any infected devices.
Such was the case with a new family of spyware being called Lipizzan. In their latest blog post, the Android Security team talks about how they were able to quickly identify 20 such apps.
It all began with detecting a botnet code that downloads an unencrypted vessel for transferring things call logs and text messages to a remote server. Here are all the things these apps were able to do:
- Call recording
- VOIP recording
- Recording from the device microphone
- Location monitoring
- Taking screenshots
- Taking photos with the device camera(s)
- Fetching device information and files
- Fetching user information (contacts, call logs, SMS, application-specific data)
Shortly after busting the first group of apps, Google detected a second group that had the botnet code included with the APKs in encrypted format instead of downloading it post-installation. Those apps got the boot quite swiftly, too.
In all, Google says Lipizzan apps were only installed on fewer than 100 devices, which accounted for 0.000007% of Android devices with Google services. With that, they offer the usual line of action for preventing these attacks and protecting yourself:
- Ensure you are opted into Google Play Protect.
- Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
- Keep “unknown sources” disabled while not using it.
- Keep your phone patched to the latest Android security update.
Of course, power users can bend the rules when and if needed, but if at any point you have an ounce of doubt, stick with Google Play.