Since at least 2021, users in Russia have been targeted by an Android spyware known as LianSpy, which had previously gone undocumented. Cybersecurity firm Kaspersky identified the malware in March 2024 and reported that it utilizes Yandex Cloud, a Russian cloud service, for its command-and-control (C2) communications, thus avoiding the need for a dedicated infrastructure and evading detection.
“LianSpy is capable of capturing screencasts, extracting user files, and collecting call logs and app lists,” security researcher Dmitry Kalinin explained in a technical report published on Monday.
The method of distribution for the spyware remains unclear. However, it could be deployed through an unpatched security vulnerability or physical access to the target device. The infected apps are disguised as Alipay or an Android system service.
Upon activation, LianSpy determines whether it operates as a system app, allowing it to run in the background with administrator privileges, or if it needs to request extensive permissions to access contacts, call logs, notifications, and overlay capabilities. It also checks for a debugging environment to ensure its persistence across reboots and hides its icon from the launcher, triggering actions like screenshot capture, data exfiltration, and configuration updates.
In some versions, LianSpy can also gather data from popular instant messaging apps in Russia and has options to restrict its operations based on network connectivity, such as Wi-Fi or mobile networks.
Kalinin noted, “To update the spyware’s configuration, LianSpy searches for a file with the regular expression ‘^frame_.+\.png$‘ on a threat actor’s Yandex Disk every 30 seconds. If found, the file is downloaded into the application’s internal data directory.”
The stolen data is stored in an encrypted format within an SQL database, specifying the record type and its SHA-256 hash, allowing only the threat actor with the corresponding private RSA key to decrypt the information.
LianSpy’s stealth capabilities are evident in its circumvention of the privacy indicators introduced by Google in Android 12, which typically display a status bar icon for apps using the microphone or camera.
“The developers of LianSpy have bypassed this feature by altering the Android secure setting parameter icon_blacklist to prevent these notification icons from appearing,” Kalinin pointed out.
Additionally, the malware uses a modified su binary named “mu” to gain root access, suggesting it may be installed via an unknown exploit or physical access to the device.
LianSpy’s strategy for remaining undetected is further demonstrated by its unidirectional command-and-control (C2) communications, with the malware not receiving any incoming commands. Instead, it uses the Yandex Disk service to exfiltrate stolen data and retrieve configuration commands.
The credentials for accessing Yandex Disk are dynamically updated from a hard-coded Pastebin URL, which differs across various malware variants. By utilizing legitimate services, LianSpy adds an additional layer of obfuscation, complicating efforts to trace its origins.
LianSpy is the latest in a growing array of spyware tools that target mobile devices, whether Android or iOS, often exploiting zero-day vulnerabilities.
“Aside from typical espionage activities like collecting call logs and app lists, LianSpy employs root privileges to conduct covert screen recording and avoid detection,” Kalinin explained. “Its use of a renamed su binary indicates it likely represents a secondary infection, following an initial compromise.”
Source: TheHackerNews
