Users in Russia have been the target of a previously undisclosed Android post-compromise spyware known as LianSpy since at least 2021.
Kaspersky, a cybersecurity vendor that identified the malware in March 2024, revealed that it utilizes Yandex Cloud, a Russian cloud service, for command-and-control (C2) communications to avoid detection.
“LianSpy is designed to capture screencasts, exfiltrate user files, and collect call logs and app lists,” security researcher Dmitry Kalinin stated in a recent technical report published on Monday.
The distribution method of the spyware remains unclear, but it is likely deployed by exploiting an unidentified security vulnerability or gaining direct physical access to the target device. The malicious apps are disguised as Alipay or an Android system service.
Once activated, LianSpy determines its running status as a system app to function in the background using administrator privileges. It also requests various permissions to access contacts, call logs, notifications, and display overlays on the screen if it is not running as a system app.
The spyware checks for a debugging environment to establish a persistent configuration that survives reboots, hides its icon from the launcher, and performs activities like taking screenshots, sending data, and updating its configuration to specify the information to be captured.
Some variants of LianSpy include features to collect data from popular instant messaging apps in Russia and control its operations based on network connectivity. The spyware updates its configuration by checking for a specific file on a threat actor’s Yandex Disk every 30 seconds.
The harvested data is stored in encrypted form in an SQL database table, making it accessible only to the threat actor possessing the corresponding private RSA key for decryption.
LianSpy has the capability to bypass the privacy indicators introduced by Google in Android 12, avoiding the requirement for apps to display status bar icons for microphone and camera permissions.
“Developers of LianSpy have circumvented this protection by manipulating the Android secure setting parameter icon_blacklist to prevent notification icons from appearing in the status bar,” indicated Kalinin.
The malware utilizes a modified version of the su binary named “mu” to gain root access, indicating a potential delivery through an unknown exploit or physical access to the device.
Communication from LianSpy to the C2 server is unidirectional, with data transmission and configuration commands taking place through Yandex Disk. Credentials for Yandex Disk are updated from a hardcoded Pastebin URL that varies across different variants of the spyware.
LianSpy joins the growing list of spyware tools targeting mobile devices, leveraging zero-day vulnerabilities to compromise devices. It not only captures call logs and app lists but also carries out covert screen recording and evasion tactics through root privileges.
“The use of a renamed su binary suggests a secondary infection following an initial compromise,” warned Kalinin.
