Google said it found 20 Lipizzan spyware apps on the Play Store “distributed in a targeted fashion to fewer than 100 devices”, and blocked the apps as well as their developers from the Android ecosystem.
In a blog post, Google said the apps had “specific routines to retrieve data” from services including Facebook Messenger, Telegram, Gmail, Skype and Snapchat.
Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls and media, as well as take screenshots and photos from a device’s camera.
The search giant said it discovered Lipizzan when it was investigating another spyware called Chrysaor earlier this year, which was believed to be written by a cyber arms company called NSO Group.
Lipizzan’s code contains references to a cyber arms company called Equus Technologies, it added.
“We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware,” the company said.
Google Play Protect is an automatic app-scanning and management feature rolled out last week.
In early July it was reported mobile malware dubbed CopyCat infected 14 million Android devices, earning the hackers behind it approximately $1.5 million in fake ad revenues in two months.