New Android Spyware LianSpy Evade Detection for Years
Kaspersky Lab specialists have discovered a cyber-espionage Trojan targeting Android device owners in Russia. This spyware, named LianSpy, may have been active since mid-2021. Its detection difficulty is attributed to the attackers’ efforts to conceal their tracks. According to experts, the espionage was highly targeted.
Representatives from Kaspersky Lab indicated that cyber-espionage using LianSpy might have commenced in mid-2021. Since its discovery this spring, specialists have identified more than ten targets. The identities of the victims remain unknown, as the experts are working with anonymized data based on the activation of the company’s services.
The LianSpy spyware disguises itself as system applications and financial services, though its aim is not to steal financial information. The malware collects and transmits data about contacts, call logs, and lists of installed applications from infected devices. It can record the smartphone screen when certain applications, primarily messengers, are opened. Additionally, LianSpy can bypass Android notifications that indicate when the camera or microphone is in use, by disabling the icon that appears during screen recording.
Experts deem it unlikely that Google is involved in this espionage activity, as the company has more effective surveillance methods. Regular software developers are also unlikely to engage in this, as built-in malicious functionalities are typically associated with adware or user data collection, rather than monitoring private conversations.
The infection could have occurred remotely by exploiting several unknown vulnerabilities or through physical access to the phone. However, the exact attack vector remains unknown since specialists only had the malware itself for analysis.
LianSpy requires no action from the user to activate. Upon launching, the malware hides its icon and operates in the background, keeping the user unaware of the issue. Once activated, the Trojan gains full control over the device. LianSpy employs techniques uncommon for mobile spyware: for data transmission from infected devices, attackers use only public services, complicating the attribution of the attacking group.
Experts believe the attackers may be interested in acquiring confidential data, sensitive correspondence, personal contacts, and other information.
Infected devices can be used to create a botnet, which is employed for hacking and information attacks, spreading malware, or accessing personal accounts. If the malware gathers contacts and screenshots from messengers, the attackers may be interested in the victim’s social circle and conversation topics. This way, they can target aides of high-ranking officials and executives.
The attack is noted to be aimed at a narrow group of individuals whose smartphones likely lack monitoring tools. The malware does not steal money and has no obvious manifestations, making it difficult to detect. The number of victims could be significant, considering the Trojan’s disguise as a popular system and banking application.
