Cybersecurity experts have uncovered a new type of spyware, named LianSpy, that specifically targets Android smartphones in Russia. This malware stealthily embeds itself on devices, operating under the guise of a legitimate app while secretly stealing sensitive information and monitoring user activity. While its primary focus is on Russian users, the techniques used by LianSpy could easily be adapted to target Android devices elsewhere.
A Deceptive and Targeted Approach
LianSpy stands out for its targeted approach, unlike broader malware campaigns. It zeroes in on specific individuals or groups, likely within certain organizations or regions. Since its emergence in July 2021, its sophisticated evasion methods have kept it under the radar for more than three years.
Kaspersky, a leading cybersecurity firm, has provided insights into LianSpy’s operations. The malware disguises itself as either an Alipay app or a system service, thereby evading detection. Once installed, it gains root access to the device, enabling it to capture screenshots, steal files, and collect call logs.
Evasion Techniques and Operational Stealth
LianSpy employs several advanced techniques to avoid detection. It uses a modified “su” binary to gain root privileges, which are essential for its malicious activities. This reliance on a modified binary suggests that the malware might be delivered through unknown exploits or physical access to the device.
The malware also circumvents Android’s ‘Privacy Indicators’ feature, which alerts users when apps record screens or activate cameras or microphones. By manipulating system settings, LianSpy blocks these notifications, leaving users unaware of the ongoing surveillance.
How LianSpy Operates
Upon installation, LianSpy presents itself as a system service or an Alipay app, making it difficult to spot. It requests or automatically grants itself permissions for screen overlays, notifications, contacts, call logs, and background activities. This allows it to operate discreetly, gathering and sending data without alerting the user.
LianSpy avoids detection by not running in environments that might expose it, such as those monitored by analysts. It stores its configuration on Yandex Disk and maintains this data locally, ensuring its persistence across device reboots.
Data Collection and Security Measures
The spyware selectively targets specific apps and activities. It uses the media projection API to take screenshots of popular applications like WhatsApp, Chrome, Telegram, Facebook, Instagram, Gmail, Skype, Vkontakte, Snapchat, and Discord. This selective data collection reduces the risk of detection, as it activates only when users engage with these apps.
The stolen data is encrypted with AES within an SQL table named ‘Con001’ before being exfiltrated to Yandex Disk. It is encrypted with a private RSA key, ensuring that only the attackers can access it.
Unlike other malware that frequently communicates with control servers, LianSpy operates with significant autonomy. It does not receive direct commands or updates but checks for configuration changes approximately every 30 seconds. These updates, stored as substrings in the configuration data, dictate the malware’s activities on the infected device.
Suppressing Notifications and Targeting Demographics
One of LianSpy’s notable features is its ability to suppress notifications that could reveal its presence. It uses ‘NotificationListenerService’ to block alerts with phrases like “using battery” or “running in the background,” which are typically associated with suspicious activity. The inclusion of both English and Russian phrases suggests that the primary targets are Russian-speaking users.
Command and Control Functions
LianSpy uses a series of substrings to manage its functions, such as enabling or disabling data collection, screen captures, and monitoring based on network connections. Below are some of the key commands:
– *con+ : Enable contact list collection
– *clg+ : Enable call log collection
– *app+ : Enable collection of installed apps
– *rsr+ : Schedule screenshot capture
– *nrs+ : Enable screen recording
– *wif+ : Allow operation on Wi-Fi
The emergence of LianSpy underscores the growing sophistication of mobile spyware and its threat to Android users. While it currently targets Russian users, the adaptable techniques could pose a risk to a broader audience. Android users worldwide should stay vigilant, keep their devices updated, and be cautious about unfamiliar apps.
