An Android spyware called LianSpy has been targeting Russian users since at least 2021. Kaspersky found this malware in March 2024. This malware uses Yandex Cloud for command-and-control (C2) communications to avoid having a dedicated infrastructure and evade detection.
LianSpy can capture screencasts, pull files, and gather call logs and app lists. We don’t know how it spreads, but it exploits an unknown security flaw or requires direct physical access to the target devices. The malware tries to hide by pretending to be Alipay or an Android system service.
When LianSpy starts up, it first checks if it’s operating as a system app to gain admin rights. If it’s not, it asks for a lot of permissions. After that, it verifies its environment, sets up a persistent configuration, and makes its icon disappear.
Some types of LianSpy can get info from well-known Russian chat apps and have choices to run on certain network links. The spyware updates how it’s set up by searching for a file matching the regular expression “^frame_.+\\.png$” on a threat actor’s Yandex Disk every 30 seconds. The harvested data is stored in encrypted form in an SQL database table, specifying the type of record and its SHA-256 hash such that only a threat actor in possession of the corresponding private RSA key can decrypt the stolen information.
LianSpy shows high-level sneakiness. It gets around Android 12’s privacy alerts for mic and camera use by changing system settings. It also uses a changed “su” binary called “mu” to get root access, hinting at smart ways to set it up.
The malware communicates with its command-and-control system in one way. It uses Yandex Disk for data exfiltration and configuration storage, obtaining credentials from a hard-coded Pastebin URL that varies across versions.
LianSpy adds to a growing number of tools that spy on mobile devices, often using new vulnerabilities.
