Spyware is a dangerous tool that can be used to selectively monitor specific victims. Often the victims are employees in a single company, or residents in a single country. The new mobile spyware, which we discovered and dubbed LianSpy, targets — for now — users of Android smartphones in Russia, but the unconventional approaches it employs could potentially be applied in other regions as well. How it works and how to guard against this new threat is the topic of this post.

What is LianSpy?

We discovered LianSpy in March 2024. However, our data indicates it’s been active for at least three years — dating back to July 2021! How did LianSpy remain in the shadows for so long? The attackers meticulously cover their tracks. Upon launch, the malware hides its icon on the home screen and operates in the background using root privileges. This allows it to bypass Android status bar notifications, which would typically alert the victim that the smartphone is actively using the camera or microphone.

LianSpy disguises itself as system applications and financial services. Interestingly, the attackers aren’t interested in the victims’ banking data. This spyware silently and discreetly monitors user activity by intercepting call logs, sending a list of installed applications to the attackers’ server, and recording the smartphone’s screen — mainly during messenger activity.

How does LianSpy work?

Unlike other spyware that exploits zero-click vulnerabilities, LianSpy requires some actions on the part of the victim. Upon launching, the malware checks if it has the necessary permissions to read contacts and call-logs, and use overlays. If not, it requests them. That done, it registers an Android Broadcast Receiver to get information about system events, enabling it to start or stop various malicious tasks.

LianSpy uses root privileges in a rather unconventional way. Typically, they’re used to gain complete control over the device. However, in the case of LianSpy, the attackers make use of only a small part of the functionality available to superusers. Interestingly, root privileges are used so as to prevent their detection by security solutions.

LianSpy is a post-exploitation Trojan, meaning that the attackers either exploited vulnerabilities to root Android devices, or modified the firmware by gaining physical access to victims’ devices. It remains unclear which vulnerability the attackers might have exploited in the former scenario.

Another feature of LianSpy is its combined use of symmetric (one key for both encrypting and decrypting information) and asymmetric (separate public and private keys) encryption. Before being stolen, the data is encrypted with a symmetric algorithm, the key for which is encrypted asymmetrically. Only the attacker possesses the private key. For more details about LianSpy functionality, see our Securelist post.

Who’s behind LianSpy?

Good question. The attackers only utilize public services, not private infrastructure, which makes it difficult to definitively determine which hacker group is behind these attacks on Android smartphone users in Russia. The paymaster’s identity is also not known, but, as global practice shows, such sophisticated cyberespionage campaigns are often instigated by groups affiliated with a nation-state actor.

How to guard against spyware surveillance?

Download apps only from official stores and catalogs, but keep in mind that spyware can infiltrate even those.
Update your operating system regularly — not all malware can adapt to new security features.
Use well-known apps from trusted developers. Avoid alternative clients for instant messengers and other services, as they may contain malicious code (read more about spyware mods for WhatsApp, Telegram and Signal).
Use Kaspersky: Antivirus & VPN to detect spyware such as LianSpy in a timely manner.
If you still don’t have reliable protection, use TinyCheck, a spyware detection tool.
Only grant applications the permissions they need to function.

Kaspersky official blog – ​Read More