Android
Image: Y A S H / Unsplash

New Android spyware is tracking Russian victims, researchers say

Researchers have discovered a previously unseen spyware that targets Android users in Russia and could potentially be deployed in other regions. 

The malware, dubbed LianSpy, has been active since at least 2021, but due to its “sophisticated evasive techniques” it was only discovered and analyzed this spring, researchers at the Russian cybersecurity firm Kaspersky said.

Kaspersky told Russian media they were able to detect 10 spyware targets in Russia but declined to disclose who the victims were. The researchers said this wasn’t a mass espionage campaign but that the spyware operators infected specific targets.

The developer and the buyer of the tool remain unknown. According to Kaspersky, the attackers only used public services — such as the Russian Yandex Disk cloud service — rather than private infrastructure for exfiltrating stolen data and storing configuration commands, making it difficult “to definitively determine which hacker group is behind these attacks.”

“As global practice shows, such sophisticated cyberespionage campaigns are often instigated by groups affiliated with a nation-state actor,” researchers said in the report released Monday.

What LianSpy can do

LianSpy disguises itself as system applications or financial services such as the Alipay digital payments app. If the spyware is running as a system app, it automatically receives the permissions it needs for further exploitations; otherwise, it requests permissions for screen overlay, notifications, background activity, contacts and call logs.

Once activated, the spyware hides its icon on the home screen and operates in the background using administrator privileges. The spyware silently and discreetly monitors user activity by intercepting call logs, sending a list of installed applications to the attackers’ server, and recording the smartphone’s screen — mainly during messenger activity. The attackers don’t appear to be interested in the victims’ banking data, researchers said.

LianSpy is a post-exploitation malware, according to Kaspersky, meaning the attackers either exploited an unknown vulnerability in Android devices or modified the firmware by gaining physical access to victims’ smartphones. 

It is not clear how the hackers use the data they obtain, but they make sure it is securely stored on their servers. For this, they use an encryption scheme with which only a threat actor could decrypt the stolen information.

The spyware led researchers to Russia since the key phrases used to filter notifications were partially in Russian, and some of the default configurations of LianSpy include package names for messaging apps popular in Russia. However, “the unconventional approaches the spyware employs could potentially be applied in other regions as well.”

Last June, Kaspersky discovered another espionage campaign, dubbed Operation Triangulation, that exploited two vulnerabilities in Apple devices. The campaign has been active since 2019 and attacks its targets by sending iMessages with malicious attachments.

The Russian government blamed this campaign on the U.S., alleging it hacked “thousands of Apple phones” to spy on Russian diplomats. Apple has denied these claims, and Kaspersky has not attributed Operation Triangulation to any government or known hacking group.

Kaspersky chief executive Eugene Kaspersky described the previous campaign as “an extremely complex, professionally targeted cyberattack” impacting, among others, “several dozen iPhones of the company’s employees — both top and middle management.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.