New Spyware Targeting Android Users

New Spyware Targeting Android Users

Cybersecurity experts have uncovered sophisticated Android spyware, LianSpy, targeting users to steal sensitive data. It uses advanced evasion techniques, posing a significant threat to Android users globally.

All about LianSpy Spyware

LianSpy starts by checking if it runs as a system app for automatic permissions. If not, it requests permissions for screen overlay, notifications, background activity, contacts, and call logs. Once granted, it ensures it’s not in a debugging environment.

According to SecureList, LianSpy stores its configuration locally using SharedPreferences, which persists across reboots. It uses integer keys for settings and includes functions such as:

  • Collecting installed apps, call logs, and contact lists
  • Taking screenshots via the media projection API
  • Exfiltrating data at set intervals

LianSpy uses advanced methods to avoid detection. It disguises itself as a real app, like Alipay, or a system service.

It also avoids Android 12’s privacy indicators, which show icons when sensitive data is accessed, by modifying the icon_blacklist setting.

Furthermore, LianSpy hides notifications from background services using NotificationListenerService, so it can operate without alerting the user.

The stolen data is encrypted and stored in an SQL table called Con001, which includes record types and SHA-256 hashes. AES keys, generated by a pseudorandom number generator and encrypted with a hardcoded RSA public key, secure the data. Only the threat actor with the private RSA key can decrypt it.

LianSpy uses cloud services like Yandex Disk for data exfiltration and storing commands, making its activity harder to detect and attribute. It mainly targets Russian users, as seen in its default settings and notification filters.

Kaspersky Security Network confirms that Russian users have been affected. LianSpy’s advanced evasion techniques and strong encryption make it a significant threat. Users should stay vigilant and use updated security measures to protect against such spyware.

Indicators of Compromise as per securelist


APK file hashes
084206ec8e6e5684a5acdcbd264d1a41
09088db5640381951e1b4449e930ff11
15222c61978f9133aa34b5972ce84e7e
1ccf5b723c38e30107d55040f10ce32a
22b013cfb95df6b4ba0d2d40dc4bddf4
23b9e5d4ab90506c6e9a42fa47164b84
36bc97ce040ada7142e4add4eb8cd3dd
38149658e5aba1942a6147b387f79d3f
3a4f780820043a8f855979d2c59f36f2
4c3e81bb8e972eef3c9511782f47bdea
5b16eb23a2f5a41063f3f09bc4ca47dd
69581e8113eaed791c2b90f13be0981a
707a593863d5ba9b2d87f0c8a6083f70
7de18a7dac0725d74c215330b8febd4e
842d600d5e5adb6ca425387f1616d6c4
86ea1be200219aca0dc985113747d5ea
86f7c39313500abfb12771e0a4f6d47a
8f47283f19514178ceb39e592324695a
966824d8c24f6f9d0f63b8db41f723b6
99d980a71a58c8ad631d0b229602bbe2
9f22d6bffda3e6def82bf08d0a03b880
a7142ad1b70581c8b232dc6cf934bda4
c449003de06ba5f092ee9a74a3c67e26
d46c5d134a4f9d3cd77b076eb8af28b3
d9e9655013d79c692269aeadcef35e68
da97092289b2a692789f7e322d7d5112
ec74283d40fd69c8efea8570aadd56dc
f13419565896c00f5e632346e5782be4
f37213a7ef3dc51683eec6c9a89e45af
f78eaca29e7e5b035dbcbabac29eb18d
fa3fecca077f0797e9223676d8a48391
fbc2c4226744c363e62fcfeaec1a47f1

Yandex Disk encrypted credential sources
hxxps://pastebin[.]com:443/raw/X4CuaV5L
hxxps://pastebin[.]com:443/raw/0t2c1Djz
hxxps://pastebin[.]com:443/raw/8YXyQtp9
hxxps://pastebin[.]com:443/raw/hm78BGe9
hxxps://pastebin[.]com:443/raw/R509SydV
hxxps://pastebin[.]com:443/raw/dXXcZDF7
hxxps://pastebin[.]com:443/raw/81GhQUjK
hxxps://pastebin[.]com:443/raw/2PmX7Bgd
hxxps://pastebin[.]com:443/raw/zsY6tZLb
hxxps://pastebin[.]com:443/raw/rzMhGiFp
hxxps://pastebin[.]com:443/raw/85DMiWdE
hxxps://pastebin[.]com:443/raw/nSZaB3hw
hxxps://pastebin[.]com:443/raw/Wppem8U5
hxxps://pastebin[.]com:443/raw/KRqNqNrT
hxxps://pastebin[.]com:443/raw/47uLyg6q
hxxps://pastebin[.]com:443/raw/tUQFWtVY
hxxps://pastebin[.]com:443/raw/AgBMX16r
hxxps://pastebin[.]com:443/raw/wSzsbXpg
hxxps://pastebin[.]com:443/raw/e0SqYu41
hxxps://pastebin[.]com:443/raw/ZBFe2b4z
hxxps://pastebin[.]com:443/raw/cbLWwCbR
hxxps://pastebin[.]com:443/raw/fxqART5r
hxxps://pastebin[.]com:443/raw/hiAYisG8
hxxps://pastebin[.]com:443/raw/459bbu4H
hxxps://pastebin[.]com:443/raw/7kxADNLm
hxxps://pastebin[.]com:443/raw/417svXuD
hxxps://pastebin[.]com:443/raw/w4j6jNBV
hxxps://pastebin[.]com:443/raw/9eQJ8uUd
hxxps://pastebin[.]com:443/raw/zy8BKYyg
hxxps://pastebin[.]com:443/raw/uc5Ft4z6

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-08-05T23:10:39+05:30 August 5th, 2024|Android malware, malicious cyber actors, Malware, Security Advisory, Security Update, Tips|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!