LianSpy Android Spyware Discovered Targeting Russian Users
Experts from Kaspersky Lab have identified a new spyware trojan called LianSpy, which is being used in a cyber-espionage campaign specifically targeting Android device owners in Russia. According to researchers, this campaign has been ongoing for several years, likely since July 2021, and continues to pose a threat.
“Given that key phrases for notification filtering are partially written in Russian, and some standard LianSpy configurations include package names of messengers popular among Russian users, we believe this spyware is aimed at users in Russia,” the specialists report.
Capabilities and Features of LianSpy
According to the report, LianSpy can:
- Record the device’s screen when certain apps (mainly messengers) are opened
- Steal user documents
- Save call log data
- Collect lists of installed applications
Notably, the attackers are not interested in victims’ financial information.
The cybercriminals behind this malware operate covertly: instead of their own infrastructure, they use Yandex Disk as a command-and-control server and employ various methods to avoid detection.
Infection Methods and Technical Details
Researchers suggest that LianSpy is most likely installed on victims’ devices either by exploiting an unknown vulnerability or through physical access to the phone.
“The malware uses a binary file named su, required for obtaining root access, but with a modified name. The analyzed malware samples try to find a binary file called mu in standard su directories. This is likely an attempt to hide the fact that root privileges have been activated on the victim’s device. Such reliance on a modified binary suggests that the spyware is delivered as a result of exploiting an unknown vulnerability or via physical access to the victim’s phone,” the researchers explain.
When launched, the malicious app checks if it is running as a system app—in which case, the necessary permissions are granted automatically. Otherwise, the malware requests permissions to display over other apps, access notifications, run in the background, and access contacts and call logs.
After starting, LianSpy hides its icon and runs in the background to avoid detection, then actively uses superuser (root) privileges to gain full control over the device and conceal its activity.
Bypassing Android Security and Communication Methods
LianSpy can bypass Android notifications that indicate when the camera or microphone is in use—for example, it disables the status bar icon that appears during screen recording. It also hides notifications from background services using the NotificationListenerService, which processes and can remove notifications from the status bar.
To update its configuration, LianSpy checks Yandex Disk every 30 seconds for a file matching the regular expression ^frame_.+\.png$. If found, the file is downloaded to the app’s internal data directory. The malware then decrypts the overlay (data written after the payload) in the downloaded file using a hardcoded AES key. The configuration updater then searches the decrypted payload for strings that modify LianSpy’s configuration.
Interestingly, apart from configuration updates, communication between the command server and LianSpy is one-way: the malware does not receive any other commands from Yandex Disk. Depending on its configuration, the malware searches for updates and steals data.
The Yandex Disk credentials are updated from a specific Pastebin page, which may vary between different versions of the malware.
Unusual Techniques and Attribution Challenges
LianSpy uses techniques uncommon for mobile spyware. For example, it employs a combination of symmetric and asymmetric encryption and does not use any private infrastructure—only public services. According to researchers, this makes it difficult to attribute the campaign to any particular attacker group.
Additionally, the trojan uses root privileges in a non-standard way to hide the fact that privileges have been escalated. This suggests the malware is intended for post-exploitation, meaning it is activated after vulnerabilities have already been exploited.
Experts conclude that this threat does not resemble any other current campaigns targeting Russian users.