In March 2024, we discovered a campaign targeting individuals in Russia with previously unseen Android spyware we dubbed LianSpy. Our analysis indicates that the malware has been active since July 2021. This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists. The malicious actor behind LianSpy employs multiple evasive tactics, such as leveraging a Russian cloud service, Yandex Disk, for C2 communications. They also avoid having dedicated infrastructure, and employ a lot of other features to keep the spyware undiscovered. Some of these features suggest that LianSpy is most likely deployed through either an unknown vulnerability or direct physical access to the target phone.
Technical details
Initially, LianSpy determines if it is running as a system app, which automatically receives the permissions it needs. Otherwise, it requests permissions for screen overlay, notifications, background activity, contacts, call logs, etc. Once authorized, the spyware verifies it’s not running in a debugging environment. If the environment is free from debugger artifacts, LianSpy sets up its configuration with predefined values and stores this data as a collection of key-value pairs locally using SharedPreferences, an app data storage mechanism generally used for storing application settings. This configuration persists across device reboots and uses integer keys linked to specific spyware settings in SharedPreferences. A detailed list of configuration parameters, including descriptions and default values, is provided below.
ID (key)
Description
Default value
100
Is first launch
false
110
Allow to run if connected to Wi-Fi
true
111
Allow to run if connected to mobile network
true
113
Threat actor’s Yandex ID
REDACTED
115
Threat actor’s Yandex Disk OAuth token
REDACTED
121
Collect list of installed applications on target device
true
123
Collect call logs
true
124
Collect contact list
true
128
Take screenshots as root with screencap binary
false
136
Captur ..
Support the originator by clicking the read the rest link below.
