LianSpy is an Android spyware aimed at Russian users, active since 2021, capable of screencasts, file exfiltration, and harvesting call logs and app lists, with evasive techniques to stay hidden. It uses Yandex Disk for C2 and data storage, and appears to be deployed via unknown vulnerabilities or physical access, with robust encryption and stealth features to avoid detection.
#LianSpy #YandexDisk #Russia
#LianSpy #YandexDisk #Russia
Keypoints
- LianSpy targets individuals in Russia and has been active since July 2021, collecting screen content, files, call logs, and installed apps.
- The spyware uses Yandex Disk as its command-and-control channel and for data exfiltration, avoiding dedicated infrastructure.
- It employs multiple evasion techniques, including masking as legitimate apps (e.g., Alipay) and bypassing privacy indicators.
- Deployment likely occurs through unknown device vulnerabilities or direct physical access to the target phone.
- All collected data is encrypted (AES) and stored securely, with the AES key itself protected by a hardcoded RSA key.
- Configuration is dynamically updated from threat-actor-controlled sources, including a frame_*.png payload downloaded from Yandex Disk and decrypted locally.
- Stealth features include root access via a modified su binary, background notification suppression, and extensive use of legitimate cloud/pastebin services to hide malicious activity.
MITRE Techniques
- [T1486] Data Encrypted for Impact – Uses AES encryption to secure exfiltrated data. ‘Uses AES encryption to secure exfiltrated data.’
- [T1071] Application Layer Protocol – Brief description: Utilizes Yandex Disk for C2 communications. ‘Utilizes Yandex Disk for C2 communications.’
- [T1113] Screen Capture – Brief description: Captures screenshots using the media projection API and screencap binary. ‘Captures screenshots using the media projection API and screencap binary.’
- [T1213] Data from Information Repositories – Brief description: Harvests call logs, contact lists, and app lists from the device. ‘Harvests call logs, contact lists, and app lists from the device.’
- [T1014] Rootkit – Brief description: Uses a modified su binary to gain root access. ‘Uses a modified su binary to gain root access.’
- [T1036] Masquerading – Brief description: To blend in with legitimate applications, its variants masquerade as the Alipay app or a system service. ‘To blend in with legitimate applications, its variants masquerade as the Alipay app or a system service.’
- [T1564.001] Hide Artifacts – Brief description: Bypasses privacy indicators by manipulating icon_blacklist to prevent status bar icons. ‘bypassing this protection by appending a cast value to the Android secure setting parameter icon_blacklist, which prevents notification icons from appearing in the status bar.’
- [T1105]Ingress Tool Transfer – Brief description: Downloads configuration updates from Yandex Disk after locating frame_*.png files. ‘To update the spyware configuration, LianSpy searches for a file matching the regular expression ‘^frame_.+.png$’ on a threat actor’s Yandex Disk every 30 seconds. If found, the file is downloaded to the application’s internal data directory.’
Indicators of Compromise
- [APK Hashes] – 084206ec8e6e5684a5acdcbd264d1a41, 09088db5640381951e1b4449e930ff11, and other 30 hashes
- [URLs] Pastebin sources for Yandex Disk credentials – hxxps://pastebin[.]com:443/raw/X4CuaV5L, hxxps://pastebin[.]com:443/raw/0t2c1Djz
- [Cloud service] Yandex Disk – Used for C2 communications and data exfiltration
Read more: https://securelist.com/lianspy-android-spyware/113253/