LianSpy Mobile Spyware
Since at least 2021, users in Russia have been targeted by a previously undocumented Android post-compromise spyware known as LianSpy. Cybersecurity researchers uncovered this malware in March 2024. Experts highlighted its use of the Yandex Cloud, a Russian cloud service, for Command-and-Control (C2) communications, enabling it to avoid a dedicated infrastructure and evade detection. LianSpy is capable of capturing screencasts, exfiltrating user files, and harvesting call logs and app lists.
The distribution method of this spyware remains unclear, but researchers suggest it is likely deployed through either an unknown security flaw or direct physical access to the target phone. The malware-laced applications are disguised as Alipay or an Android system service.
Table of Contents
How Does the LianSpy Spyware Operate?
Once activated, LianSpy determines if it is running as a system app to operate in the background with administrator privileges. If not, it requests a wide range of permissions to access contacts, call logs, notifications, and draw overlays on the screen.
The spyware also checks if it is executing in a debugging environment to set up a configuration that persists across reboots. It then hides its icon from the launcher and triggers activities, such as taking screenshots, exfiltrating data and updating its configuration to specify the types of information to capture.
In some variants, LianSpy includes options to gather data from popular instant messaging applications in Russia and to control whether the malware runs only when connected to Wi-Fi or a mobile network, among other settings.
To update its configuration, LianSpy searches every 30 seconds for a file on a threat actor's Yandex Disk that matches the regular expression '^frame_.+.png$.' If found, the file is downloaded to the application's internal data directory.
The Stealth Capabilities of the LianSpy Spyware
The harvested data is encrypted and stored in an SQL database table, which records the type of data and its SHA-256 hash. Only a threat actor with the corresponding private RSA key can decrypt this stolen information.
LianSpy demonstrates its stealth by circumventing the privacy indicators feature introduced in Android 12, which requires applications requesting microphone and camera permissions to display a status bar icon.
The developers of LianSpy have managed to bypass this protection by appending a cast value to the Android secure setting parameter 'icon_blacklist,' which prevents notification icons from appearing in the status bar. Additionally, LianSpy hides notifications from background services it invokes by using the 'NotificationListenerService' to process and suppress status bar notifications.
Threat Actors Increasingly Take Advantage of Legitimate Services
A sophisticated feature of LianSpy involves using the 'su' binary, renamed to 'mu,' to gain root access. This indicates that the malware is likely delivered through either an unknown exploit or physical access to the device.
LianSpy also emphasizes stealth by implementing unidirectional Command-and-Control (C2) communications, meaning the malware does not receive incoming commands. It uses Yandex Disk for both transmitting harvested data and storing configuration commands.
Credentials for Yandex Disk are updated via a hard-coded Pastebin URL, which varies between malware variants. Utilizing legitimate services adds an extra layer of obfuscation, complicating attribution.
As the latest entry in a growing array of spyware tools, LianSpy targets mobile devices—both Android and iOS—by exploiting zero-day vulnerabilities. In addition to standard espionage tactics like collecting call logs and application lists, it employs root privileges for covert screen recording and evasion. The use of a renamed 'su' binary suggests it may involve a secondary infection following an initial compromise.
