Security researchers at Kaspersky have uncovered a new Android spyware campaign called LianSpy, which has been used for cyberespionage against targeted Android device users in Russia. The malware, dubbed “LianSpy,” has been in operation since July 2021, quietly harvesting sensitive data and employing advanced evasion techniques to remain undetected.
LianSpy is designed to capture screencasts, exfiltrate user files, and harvest call logs and app lists. The spyware leverages multiple evasive tactics, such as using the Russian cloud service Yandex Disk for command and control (C2) communications and avoiding dedicated infrastructure, to stay under the radar.
Notably, LianSpy’s developers use techniques suggesting the spyware may be deployed through an unknown vulnerability or direct physical access to the target device.
Upon installation, LianSpy first checks if it is running as a system app to gain automatic permissions. If not, it requests various permissions, including screen overlay and background activity. The spyware then verifies it’s not in a debugging environment before setting up its configuration using SharedPreferences, a local storage mechanism. This configuration persists across device reboots, with integer keys linked to specific spyware settings.
Once activated, LianSpy hides its icon and registers a built-in broadcast receiver to trigger malicious activities such as screen capturing via the media projection API and exfiltrating data. It updates its configuration by searching for specific files on Yandex Disk every 30 seconds, downloading and decrypting them using a hardcoded AES key.
Collected victim data is encrypted and stored in an SQL table named Con001. The encryption scheme involves generating an AES key with a secure pseudorandom number generator and encrypting this key with a hardcoded public RSA key. This robust encryption ensures that only the threat actor can decrypt the stolen data.
Advanced Stealth Features
LianSpy employs several sophisticated techniques to avoid detection:
- It masquerades as legitimate applications, such as the Alipay app or a system service.
- The spyware bypasses Android 12’s privacy indicators, which alert users when sensitive data is accessed.
- It hides notifications from background services using the NotificationListenerService, which processes and suppresses status bar notifications.
- LianSpy can take screenshots using the screencap system command, which is typically employed for debugging. This command leaves no trace of screenshot capture.
Moreover, LianSpy extensively uses legitimate cloud and pastebin services, making its web activity virtually undetectable. It encrypts exfiltrated data using a robust encryption scheme, ensuring victim identification remains impossible even if Yandex Disk credentials are compromised. The malware also uses a renamed su binary to gain root access, indicating it may be delivered through an unknown exploit or physical access.
Infrastructure and Victimology
LianSpy has no private infrastructure, relying entirely on Yandex Disk for data exfiltration and configuration updates. Its communication with the C2 server is unidirectional, with no incoming commands. Yandex Disk credentials can be updated from a hardcoded pastebin URL, which varies across different malware variants.
The spyware’s use of Russian phrases in notification filters and configurations for popular Russian messaging apps suggests it specifically targets Russian users. Telemetry data from cybersecurity researchers supports this, indicating that Russian users have been victims of LianSpy attacks.
LianSpy is a significant threat due to its advanced capabilities and sophisticated evasion techniques. Unlike financially motivated spyware, it focuses on capturing instant message content, indicating a targeted data-gathering operation. The threat actor has complicated attribution efforts by exclusively using legitimate platforms like Yandex Disk and pastebin services.
Cybersecurity experts will continue to monitor this novel Android threat for related activities and potential new developments.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.