Attacks with the LianSpy Android spyware aimed at exfiltrating Russians' user files, app lists, and call logs have been undetected since 2021 due to the malware's usage of Russian cloud service Yandex Cloud for command-and-control communications, The Hacker News reports.
Malicious apps spoofing Alipay or an Android system service have been used to distribute LianSpy, which when executed uses admin privileges to ensure background operation or seeks several permissions to enable extensive device access, according to a report from Kaspersky. Aside from monitoring execution in a debugging environment, LianSpy also conducts configuration updates tailored to the information expected to be exfiltrated from targeted devices, which is then encrypted in an SQL database. LianSpy also guarantees stealth by evading Android 12 privacy indicators, leveraging a modified su binary for root access, and having unidirectional C2 communications. "Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion. Its reliance on a renamed su binary strongly suggests secondary infection following an initial compromise," said Kaspersky researcher Dmitry Kalinin.
