Cybersecurity researchers at Kaspersky have uncovered a previously unknown Android spyware called LianSpy. This sophisticated malware has been actively targeting Russian users since July 2021. LianSpy’s primary functions include capturing screencasts, exfiltrating user files, and harvesting call logs and app lists.
Evasion Techniques
LianSpy employs various evasion techniques to avoid detection:
- Using Yandex Disk, a Russian cloud service, for command and control (C2) communications
- Avoiding dedicated infrastructure to remain undetected
- Disguising itself as a legitimate app like Alipay or system services
- Bypassing Android 12’s privacy indicators by modifying settings
- Hiding notifications from background services
- Suppressing status bar notifications with specific phrases
Deployment and Initialization
The exact deployment method for LianSpy remains unclear, but researchers suspect it involves either an unknown vulnerability or direct physical access to the victim’s device. Upon installation, the spyware:
- Checks for system app status to obtain necessary permissions automatically
- Requests permissions for screen overlay, notifications, background activity, contacts, and call logs if not a system app
- Verifies it’s not being executed in a controlled environment
- Sets up its configuration with predefined values
- Stores configuration in SharedPreferences for persistence across reboots
Operational Mechanisms
Once activated, LianSpy:
- Hides its icon
- Registers a built-in broadcast receiver to receive system intents
- Triggers various malicious activities, including screen capturing and data exfiltration
- Updates its configuration by searching for specific files on the threat actor’s Yandex Disk every 30 seconds
Data Collection and Encryption
LianSpy stores collected data in an SQL table called Con001, which includes the data type and its SHA-256 hash. The encryption process involves:
- Generating an AES key using a secure pseudorandom number generator
- Encrypting the AES key with a hardcoded public RSA key
This approach ensures that only someone with the corresponding private RSA key can decrypt the stolen data.
Advanced Evasion and Exfiltration
LianSpy demonstrates advanced capabilities for evading detection and exfiltrating data:
- Capturing screenshots stealthily using the screencap command with root access
- Utilizing cloud and Pastebin services to obscure malicious activity
- Encrypting exfiltrated data to prevent victim identification
- Gaining root access through a modified su binary
Command and Control Infrastructure
Instead of using its infrastructure, LianSpy relies on Yandex Disk for data exfiltration and storing configuration commands. The communication with its C2 server is unidirectional, with the malware handling update checks and data exfiltration independently. Yandex Disk credentials can be updated via a hardcoded Pastebin URL, which may vary among malware variants.