New Android Spyware LianSpy Evades Detection Using Yandex Cloud

Aug 06, 2024Ravie LakshmananAndroid / Malware

Users in Russia have been the target of a previously undocumented Android post-compromise spyware called LianSpy since at least 2021.

Cybersecurity vendor Kaspersky, which discovered the malware in March 2024, noted its use of Yandex Cloud, a Russian cloud service, for command-and-control (C2) communications as a way to avoid having a dedicated infrastructure and evade detection.

“This threat is equipped to capture screencasts, exfiltrate user files, and harvest call logs and app lists,” security researcher Dmitry Kalinin said in a new technical report published Monday.

It’s currently not clear how the spyware is distributed, but the Russian company said it’s likely deployed through either an unknown security flaw or direct physical access to the target phone. The malware-laced apps are disguised as Alipay or an Android system service.

Cybersecurity

LianSpy, once activated, determines if it’s running as a system app to operate in the background using administrator privileges, or else requests a wide range of permissions that allow it to access contacts, call logs, and notifications, and draw overlays atop the screen.

It also checks if it’s executing in a debugging environment to set up a configuration that persists across reboots, followed by hiding its icon from the launcher and trigger activities such as taking screenshots, exfiltrating data, and updating its configuration to specify what kinds of information needs to be captured.

In some variants, this has been found to include options to gather data from instant messaging apps popular in Russia as well as allow or prohibit running the malware only if it’s either connected to Wi-Fi or a mobile network, among others.

“To update the spyware configuration, LianSpy searches for a file matching the regular expression “^frame_.+\.png$” on a threat actor’s Yandex Disk every 30 seconds,” Kalinin said. “If found, the file is downloaded to the application’s internal data directory.”

The harvested data is stored in encrypted form in an SQL database table, specifying the type of record and its SHA-256 hash, such that only a threat actor in possession of the corresponding private RSA key can decrypt the stolen information.

Where LianSpy showcases its stealth is in its ability to bypass the privacy indicators feature introduced by Google in Android 12, which requires apps requesting for microphone and camera permissions to display a status bar icon.

“LianSpy developers have managed to bypass this protection by appending a cast value to the Android secure setting parameter icon_blacklist, which prevents notification icons from appearing in the status bar,” Kalinin pointed out.

“LianSpy hides notifications from background services it calls by leveraging the NotificationListenerService that processes status bar notifications and is able to suppress them.”

Another sophisticated aspect of the malware entails the use of the su binary with a modified name “mu” to gain root access, raising the possibility that it’s likely delivered through a previously unknown exploit or physical device access.

Cybersecurity

LianSpy’s emphasis on flying under the radar is also evidenced in the fact that C2 communications are unidirectional, with the malware not receiving any incoming commands. The Yandex Disk service is used for both transmitting stolen data and storing configuration commands.

Credentials for Yandex Disk are updated from a hard-coded Pastebin URL, which varies across malware variants. The use of legitimate services adds a layer of obfuscation, effectively clouding attribution.

LianSpy is the latest addition to a growing list of spyware tools, which are often delivered to target mobile devices – be it Android or iOS – by leveraging zero-day flaws.

“Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion,” Kalinin said. “Its reliance on a renamed su binary strongly suggests secondary infection following an initial compromise.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.