Android Spyware LianSpy Evades Detection with Yandex Cloud

LianSpy, a previously unknown Android post-compromise malware, has targeted Russian users since at least 2021.

Kaspersky, a cybersecurity provider, identified the virus in March 2024. They noticed its usage of Yandex Cloud, a Russian cloud service, for command-and-control (C2) communication to bypass a specialized infrastructure and prevent detection.

“This threat can capture screencasts, steal user files, and harvest call logs and app lists,” security expert Dmitry Kalinin said in a new technical paper published Monday.

It’s unclear how the malware spreaded, but the Russian cybersecurity provider most likely used an undiscovered security hole or direct physical access to the target phone. Malware-infected applications appear as Alipay or an Android system function.

Once started, LianSpy examines whether it is operating as a system program and operates in the background with administrator capabilities. If not, it requests a wide variety of permissions that let it view contacts, call records, and alerts, as well as create overlays on the screen.

Also Read, Google Delisted Apps from Play Store Without Notice

It also checks to see if it’s running in a debugging environment. Then it sets up a configuration that will persist across reboots, after which it hides its icon from the launcher. Finally, it initiates activities such as taking screenshots, leaking data, and updating its configuration to specify what types of information should capture.

Some varieties have found to feature options for gathering data from popular Russian instant messaging applications. They also allow or prohibit the virus from functioning unless it is link to Wi-Fi or a mobile network, among other settings.

“To upgrade the spyware configuration, LianSpy looks for a file matching the regular expression” ^frame_.+\.png$ “on a threat actor’s Yandex Disk every 30 seconds,” Kalinin told reporters. “If discovered, the file is downloaded to the application’s internal data path.”

The gathered data encrypted and placed in an SQL database table, indicating the kind of record and its SHA-256 hash. Only a threat actor with the associated private RSA key can decode the stolen information.

LianSpy demonstrates its invisibility by bypassing Google’s privacy indicators feature. This feature forces programs seeking microphone and camera access to display a status bar icon.

“LianSpy programmers have managed to bypass this security measure by appending a casting value to the Android security setting parameter icon_blocklist, which stops notification icons from appearing in the status bar,” Kalinin told me.

“LianSpy hides notifications from the background services it calls by using the NotificationListenerService, which handles status bar notifications and can suppress them.”

Also Read, How to know if someone Blocked your Number

Another complex component of the malware is the usage of the su binary with the changed name “mu” to get root access. This implies that it likely transmitted via a previously undiscovered vulnerability or physical device access.

LianSpy’s goal of staying under the radar is also evident in that C2 interactions are unidirectional, with the virus receiving no incoming orders. The Yandex Disk service sends stolen data and saves configuration directives.

Yandex Disk credentials updated via a hard-coded Pastebin URL that varies for every malware strain. Using reputable services adds another degree of deception, thereby blurring attribution.

LianSpy is the newest addition to a growing range of spyware programs frequently deployed to target mobile devices, whether Android or iOS, by exploiting zero-day holes.

“Beyond conventional espionage techniques like harvesting call logs and app lists, it uses root privileges for hidden screen recording and fraud,” according to Kalinin. “Its depend on a renamed su binary suggests a second infection following an initial compromise.”

Did you find this article interesting? Follow us on Twitter and LinkedIn for more unique content.