Sophisticated Android Spyware Targets Users in Russia

  /     /     /  
Publicated : 23/11/2024   Category : security


Sophisticated Android Spyware Targets Users in Russia


Researchers say LianSpy malware has been in use in a covert data gathering operation thats gone undetected for at least three years.



An unknown — and likely state-sponsored — threat actor has been using a previously unseen mobile spyware tool to spy on an unknown number of Android smartphone users. This activity has been ongoing for at least three years, according to researchers.
Until now, the campaign has focused mainly on targeted individuals in Russia, according to researchers at Kaspersky, who are tracking the threat as LianSpy. But the tactics that the spyware operators used in deploying the malware could be easily applied in other regions as well, Kaspersky says.
LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims devices, Kaspersky researcher
Dmitry Kalinin wrote in a blog post
this week. It remains unclear which vulnerability the attackers might have exploited in the former scenario.
LianSpy is the latest in a fast-growing list of spyware tools. The list includes widely deployed products such as the
NSO Groups
Pegasus Software and the
Intellexa alliances Predator.
Researchers have discovered these malware instances targeting iPhone and Android smartphone users in recent years. The main purchasers — and users — of these tools are typically governments and intelligence agencies that want to spy on dissidents, political opponents and other persons of interest to them.
In many instances — as was the case with last years
Operation Triangulation
iOS spyware campaign — the purveyors of mobile spyware tools have exploited zero-day flaws in Android and iOS to deliver and/or run their malware on target devices. In other instances, including one involving an Android spyware tool dubbed
BadBazaar
last year and another espionage tool dubbed
SandStrike
in 2022, threat actors have distributed spyware via fake versions of popular applications on official mobile app stores.
Kaspersky researchers first stumbled on LianSpy in March 2024 and quickly determined that the entity behind it has been using the spyware tool since July 2021. Their analysis reveals that the attackers are likely distributing the malware disguised as systems applications and financial applications.
Unlike some so-called
zero-click spyware tools
, LianSpys ability to function depends, to a certain extent, on user interaction.  When launched, the malware first checks to see if it has the required permissions to execute its mission on the victims device. If it does not have the required permissions, the malware prompts the user to provide them. When LianSpy obtains permission, it registers what is known as an Android Broadcast Receiver to receive and respond to system events such as booting, low battery, and network changes. Kaspersky researchers found LianSpy is using super user binary with a modified name (mu instead of su) to try and gain root access on a victim device. Kaspersky officials say this as an indication that the threat actor delivered the malware after first gaining access to the device another way.
Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges, Kalinin wrote. This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone.
LianSpys primary function is to quietly monitor user activity by intercepting call logs, recording the device screen especially when the user is sending or receiving messages and enumerating all installed apps on the victim device. The threat actor behind the malware has not used private infrastructure for communicating with the malware or storing harvested data. Instead, the attacker has been using public cloud platforms and pastebin services for these functions.
The threat actor leverages Yandex Disk for both exfiltrating stolen data and storing configuration commands. Victim data is uploaded into a separate Yandex Disk folder, Kaspersky said in a
technical writeup
on the malware.
One interesting aspect about LianSpy, according to Kaspersky, is how the malware uses its root privileges on a compromised device. Instead of using its superuser status to take complete control of a device, LianSpy uses just enough of the functionality available to carry out its mission in a quiet fashion. Interestingly, root privileges are used so as to prevent their detection by security solutions, the security vendor says. Kaspersky researchers also found LianSpy to be using both symmetric and asymmetric keys for encrypting the data it exfiltrates, which makes victim identification impossible.
Beyond standard espionage tactics like harvesting call logs and app lists, it leverages root privileges for covert screen recording and evasion, Kalinin said. Unlike financially motivated spyware, LianSpys focus on capturing instant message content indicates a targeted data-gathering operation.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Sophisticated Android Spyware Targets Users in Russia