Researchers at Kaspersky have uncovered the existence of a previously unseen mobile spyware tool that has been used by an unknown threat actor — suspected to be state-sponsored — to spy on Android smartphone users for a period of at least three years. Known as LianSpy, this mobile spyware tool has primarily targeted individuals in Russia but could potentially be deployed in other regions as well, according to Kaspersky.
LianSpy operates as a post-exploitation Trojan, with attackers either exploiting vulnerabilities to gain root access to Android devices or modifying the firmware by physically accessing the victims’ devices. The specific vulnerabilities exploited in the former scenario remain uncertain, as highlighted by Dmitry Kalinin, a researcher at Kaspersky. This tactic aligns with the strategies employed by other well-known spyware tools such as NSO Group’s Pegasus Software and Intellexa alliance’s Predator, which have been used by governments and intelligence agencies to target dissidents and political opponents.
In the case of LianSpy, Kaspersky researchers first detected the spyware in March 2024 and confirmed that it had been in use since July 2021. The malware is distributed disguised as common system and financial applications, relying on user interaction to fulfill its functions. Once granted the necessary permissions, LianSpy registers as an Android Broadcast Receiver to monitor system events discreetly, using root privileges to operate in the background without raising suspicion.
The primary objective of LianSpy is to covertly collect user data by intercepting call logs, recording screen activity, and identifying installed applications on the compromised device. Interestingly, the threat actor behind LianSpy has opted to leverage public cloud platforms and pastebin services for communication and data storage, especially utilizing Yandex Disk for exfiltrating stolen data and issuing configuration commands.
Unlike other spyware tools, LianSpy strategically minimizes its use of root privileges to avoid detection by security solutions, focusing on capturing instant message content for targeted data-gathering. By using both symmetric and asymmetric encryption keys for data exfiltration, LianSpy ensures that victim identification becomes virtually impossible. The malware’s emphasis on stealth and evasion tactics, coupled with its long-term campaign focus and sophisticated data harvesting capabilities, signal a highly targeted and persistent threat to Android smartphone users.
As the prevalence of mobile spyware tools continues to rise, it is imperative for users to exercise caution when downloading applications and regularly update their devices to protect against potential exploitation of vulnerabilities. The evolving landscape of mobile espionage underscores the importance of ongoing research and collaboration among security experts to identify, analyze, and mitigate the risks posed by malicious actors seeking to compromise user privacy and security.