{"id":51923,"date":"2024-08-05T05:44:13","date_gmt":"2024-08-05T09:44:13","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=51923"},"modified":"2024-08-05T05:44:13","modified_gmt":"2024-08-05T09:44:13","slug":"new-spy-for-android-smartphones-lianspy","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/new-spy-for-android-smartphones-lianspy\/51923\/","title":{"rendered":"LianSpy: new mobile spyware for Android"},"content":{"rendered":"

Spyware is a dangerous tool that can be used to selectively monitor specific victims. Often the victims are employees in a single company, or residents in a single country. The new mobile spyware, which we discovered and dubbed LianSpy, targets \u2014 for now \u2014 users of Android smartphones in Russia, but the unconventional approaches it employs could potentially be applied in other regions as well. How it works and how to guard against<\/a>\u00a0this new threat is the topic of this post.<\/p>\n

What is LianSpy?<\/h2>\n

We discovered LianSpy in March 2024. However, our data indicates it\u2019s been active for at least three years \u2014 dating back to July 2021! How did LianSpy remain in the shadows for so long? The attackers meticulously cover their tracks. Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges. This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone.<\/p>\n

LianSpy disguises itself as system applications and financial services. Interestingly, the attackers aren\u2019t interested in the victims\u2019 banking data. This spyware silently and discreetly monitors user activity by intercepting call logs, sending a list of installed applications to the attackers\u2019 server, and recording the smartphone\u2019s screen \u2014 mainly during messenger activity.<\/p>\n

How does LianSpy work?<\/h2>\n

Unlike other spyware<\/a> that exploits zero-click vulnerabilities, LianSpy requires some actions on the part of the victim. Upon launching, the malware checks if it has the necessary permissions to read contacts and call-logs, and use overlays. If not, it requests them. That done, it registers an Android Broadcast Receiver to get information about system events, enabling it to start or stop various malicious tasks.<\/p>\n

LianSpy uses root privileges in a rather unconventional way. Typically, they\u2019re used<\/a> to gain complete control over the device. However, in the case of LianSpy, the attackers make use of only a small part of the functionality available to superusers. Interestingly, root privileges are used so as to prevent their detection by security solutions.<\/p>\n

LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims\u2019 devices. It remains unclear which vulnerability the attackers might have exploited in the former scenario.<\/p>\n

Another feature of LianSpy is its combined use of symmetric<\/a> (one key for both encrypting and decrypting information) and asymmetric<\/a> (separate public and private keys) encryption. Before being stolen, the data is encrypted with a symmetric algorithm, the key for which is encrypted asymmetrically. Only the attacker possesses the private key. For more details about LianSpy functionality, see our Securelist post<\/a>.<\/p>\n

Who\u2019s behind LianSpy?<\/h2>\n

Good question. The attackers only utilize public services, not private infrastructure, which makes it difficult to definitively determine which hacker group is behind these attacks on Android smartphone users in Russia. The paymaster\u2019s identity is also not known, but, as global practice shows<\/a>, such sophisticated cyberespionage campaigns are often instigated by groups affiliated with a nation-state actor.<\/p>\n

How to guard against spyware surveillance?<\/h2>\n