Friday, December 6, 2024
HomeAndroidNew LianSpy Attacking Android Users to Steal Sensitive Data

New LianSpy Attacking Android Users to Steal Sensitive Data

Published on

SIEM as a Service

Cybersecurity experts have uncovered a sophisticated Android spyware, LianSpy, targeting users to steal sensitive data.

This spyware employs advanced evasion techniques, making it a significant threat to Android device users worldwide.

How LianSpy Operates

LianSpy begins its operation by determining if it runs as a system app, granting it automatic permissions.

- Advertisement - SIEM as a Service

If not, it requests permissions for screen overlay, notifications, background activity, contacts, call logs, and more. Once authorized, it verifies it’s not running in a debugging environment.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

According to theSecureList report, the spyware sets up its configuration with predefined values, storing this data locally using SharedPreferences, a common app data storage mechanism.

This configuration persists across device reboots and uses integer keys linked to specific spyware settings. Key functionalities of LianSpy include:

  • Collecting lists of installed applications, call logs, and contact lists.
  • Take screenshots and capture screens via the media projection API.
  • Exfiltrating data at specified intervals.

LianSpy employs several unconventional and sophisticated evasion techniques to remain undetected. To blend in, it masquerades as a legitimate application, like the Alipay app, or a system service.

Notably, it bypasses Android 12’s privacy indicators, which display status bar icons when sensitive data is accessed. It achieves this by appending a casting value to the Android secure setting parameter icon_blacklist, preventing notification icons from appearing.

Additionally, LianSpy hides notifications from background services by leveraging the NotificationListenerService, which processes status bar notifications and can suppress them. This allows the spyware to operate without alerting the user.

LianSpy registers a malicious broadcast receiver
LianSpy registers a malicious broadcast receiver

Data Encryption and Exfiltration

The stolen data is stored encrypted in an SQL table named Con001, which includes the type of record (device information, contact list, call logs, etc.) and its SHA-256 hash.

The encryption scheme involves generating an AES key using a secure pseudorandom number generator (PRNG) and encrypting this key with a hardcoded public RSA key. Only the threat actor with the corresponding private RSA key can decrypt the stolen data.

LianSpy uses legitimate cloud services like Yandex Disk for data exfiltration and storing configuration commands.

This reliance on legitimate platforms complicates attribution and makes the malicious web activity from a compromised device virtually undetectable.

Evidence suggests that LianSpy primarily targets Russian users, as indicated by key phrases used to filter notifications and its variants’ default configurations, including package names for messaging apps popular in Russia.

Kaspersky Security Network (KSN) telemetry corroborates this, showing that Russian users have been victims of LianSpy attacks.

LianSpy represents a significant advancement in Android spyware, with its sophisticated evasion techniques and robust encryption methods.

Users are advised to remain vigilant and protect their devices with up-to-date security measures to mitigate the risk of such spyware attacks.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...