Kaspersky Lab specialists have discovered a Trojan used for cyberespionage targeting Android device owners in Russia. It has been dubbed LianSpy. According to Kaspersky Lab, the espionage may have begun in mid-2021, but detecting the malware was difficult because the attackers were actively hiding their tracks. The espionage was not widespread, but targeted, according to a company representative.
Since LianSpy was discovered in the spring of 2024, Kaspersky Lab specialists have identified more than 10 targets. The company representative did not specify who exactly became victims, noting that experts operate with anonymized data based on the company’s service triggering.
“LianSpy disguises itself as system applications and financial services. At the same time, the attackers are not interested in the financial information of the victims. The functionality of the malware includes collecting and transmitting to the attackers a list of contacts from the infected device, as well as call log data, a list of installed applications,” says Dmitry Kalinin, an expert on cybersecurity at Kaspersky Lab.
The Trojan is capable of recording the smartphone screen when certain applications are opened, mainly messengers, he continues. In addition, LianSpy can bypass Android notifications that show that the camera or microphone is currently being used on the phone, disabling the icon that appears during screen recording, Kalinin clarifies.
It is unlikely that the Android operating system manufacturer Google itself is behind the spying, since it has many more ways to spy on users than with the help of add-on malware, notes Positive Technologies security consultant Alexey Lukatsky. Regular software developers are also unlikely to do this, he continued. According to Lukatsky, if they do embed malicious functionality, it is usually advertising software or software that steals information about the device itself or the user’s online activity, but not about their correspondence.
The devices could have been infected remotely by exploiting several unidentified vulnerabilities or by gaining physical access to the phone, Kalinin explains. But it is impossible to say for sure which of these two attack vectors was used, since the Lab’s experts only had the malware itself to analyze, he explained.
Activation of the Trojan does not require any actions from the user, the representative of the “Laboratory” specified. When launched, the software “hides” its icon and works in the background, so the user does not know about the problem. At the same time, the activated Trojan gains full control over the device.
The Trojan is distinguished by techniques that are unusual for a mobile spy, Kalinin added: to transmit information from infected devices, the attackers use only public services, which further complicates the process of attributing the campaign to any group of attackers.
In this case, attackers may be interested in obtaining confidential data, sensitive correspondence, personal contacts or other personal information, says Igor Beder, head of the investigation department at T.Hunter and expert on the NTI SafeNet market. Infected devices can also be used as a botnet to carry out hacker or information attacks, distribute malicious software or gain access to personal accounts, he suggests.