Back in April, researchers at Google discovered an Android malware, called Chrysaor, that could give an attacker remote control of the infected device. Android Security was able to find and block potentially harmful apps (PHAs) with that family of spyware, but in the process of doing so discovered a new spyware family called Lipizzan.
Researchers believe that the new spyware is unrelated to Chrysaor, and has the ability to monitor and exfiltrate a user's email, SMS messages, location, voice calls, and media. The code behind the spyware has been traced to a cyber arms company, Equus Technologies.
On the Android Developers blog, researchers say that the newly discovered spyware works in two stages. It is firstly distributed through several channels, including Google Play, and hides behind a harmless app like "Backup" or "Cleaner". After installing such an app, Lipizzan would load a second "licence verification" stage, which check out the infected device and validates certain abort criteria. Once the all-clear is given, the spyware proceeds to root the device with known exploits to take control of the device and exfiltrate data to a Command & Control server.
Once Lipizzan gains full control of the infected device, it has the ability to record call, track the user's location, take screenshots and photos with the device's camera, fetch information and files stored in the device and other user information such as contact, call logs and more. Researchers say that the PHA had specific routines to retrieve data from apps like Gmail, LinkedIn, Skype, Snapchat, and WhatsApp.
The most notable thing about the new spyware is how easily the authors can change the branding of the implanted apps. Soon after Google detected and blocked the first set of apps on Google Play, new apps began cropping up with the same spyware. These apps changed from 'backup' apps to apps like "cleaner", "notepad", "sound recorder", to name a few. Google says that it has so far detected the spyware in fewer than 100 devices that checked into Google Play Protect. Now that Lipizzan is detected, Google Play Protect has managed to remove the family from affected devices and will block installs on new devices.
Google says that Android users can protect themselves by making sure they opt into Google Play Protect, and making sure apps are downloaded exclusively from Google Play. The company also urges users to keep their phones patched to the latest Android security update.
There have been a bunch of Android malware-related reports such as SpyDealer, LeakerLocker, and CopyCat in recent months that have raised an alarming concern over the safety of the platform and the potential risks of storing personal information over the digital space.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.