Skip to content

Novel LianSpy spyware targets Android users in Russia

  • by
  • 4 min read

A new spyware called LianSpy has been active since at least July 2021, and it primarily targets Android users in Russia. It employs covert operations and unique methodologies that do not rely on zero-day flaws but on user interaction, making it much more difficult to mitigate.

LianSpy emerged on the cybersecurity radar in March 2024, although evidence suggests its presence as far back as three years earlier. This spyware is designed to evade detection through stealth and obfuscation.

Researchers observed that LianSpy hides its icon from the home screen and operates silently in the background with root privileges. This allows it to bypass standard Android notifications that normally alert users when the camera or microphone is in use.

” The new mobile spyware, which we discovered and dubbed LianSpy, targets — for now — users of Android smartphones in Russia, but the unconventional approaches it employs could potentially be applied in other regions as well,” researchers explained.

The spyware masquerades as a legitimate system and financial application, though it does not appear to target banking information. Instead, LianSpy focuses on surveillance, including intercepting call logs, compiling lists of installed applications, and capturing screen activity, particularly during messaging apps.

Unlike many modern spyware tools that exploit zero-click vulnerabilities, LianSpy requires user interaction for installation. Upon activation, it checks for and requests necessary permissions, such as access to contacts and call logs and the ability to create overlays.

It then uses these permissions to monitor system events and execute its malicious tasks. Researchers have also observed that LianSpy unconventionally employs root privileges. Rather than exploiting these privileges for complete device control, it uses a minimal subset of capabilities to avoid detection by security solutions.

This suggests a high level of sophistication and an understanding of Android’s security mechanisms.

Although researchers could not pinpoint the exact threat actor behind LianSpy, the underlying tactics suggest the involvement of a nation actor.

Researchers have categorised the spyware as a post-exploitation Trojan, implying that the attackers either leveraged existing vulnerabilities to gain root access or physically altered the firmware on the victim’s devices. However, they are yet to reveal the exact method used by the spyware.

“LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices or modified the firmware by gaining physical access to victims’ devices. It remains unclear which vulnerability the attackers might have exploited in the former scenario,” researchers noted.

Additionally, researchers found that LianSpy uses a dual-layer encryption strategy. Data is first encrypted with a symmetric key, which is then encrypted with an asymmetric key pair. The attackers hold exclusively the private key needed to decrypt the data, adding an extra layer of security to their stolen information.

At present, researchers are unsure about the exact perpetrators behind LianSpy. The spyware relies on public services for its operations, avoiding the use of private infrastructure that could provide more clues about the attackers’ identity.

But, given the spyware’s sophistication and tactics, researchers believe that this spyware could be a result of someone with access to considerable resources, maybe a state actor.

Cybersecurity experts have advised users to download apps only from official stores, regularly update their Android operating system, avoid third-party clients to the apps, and deploy antivirus on their smartphones to counter LianSpy.

After a two-year gap, a new variant of Mandrake spyware appeared on the Google Play Store in late July 2024.

In the News: TikTok gets sued for violating child privacy laws

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>