A previously undocumented Android malware named ‘LightSpy’ has been discovered targeting Russian users, posing on phones as an Alipay app or a system service to evade detection.

Analysis shows that LianSpy has been actively targeting Android users since July 2021, but its extensive stealth capabilities helped it remain undetected for over three years.

Kaspersky researchers believe that the threat actors use either a zero-day vulnerability or have physical access to infect devices with malware. The malware gains root privileges on the device to take screenshots, steal files, and harvest call logs.

“LianSpy uses su binary with a modified name to gain root access. The malware samples we analyzed attempt to locate a mu binary in the default su directories,” explains the Kaspersky report.

“This indicates an effort to evade root detection on the victim’s device. Acquiring superuser rights with such a strong reliance on a modified binary suggests that the spyware was likely delivered through a previously unknown exploit or physical device access.”

Its long list of evasion features includes bypassing the ‘Privacy Indicators’ security feature on Android 12 and later, which displays an indicator on the status bar when an app records the screen or activates the camera or microphone.

LianSpy bypasses this feature by appending a ‘cast’ value to Android’s icon block list setting parameter so the cast notifications are blocked, leaving the victim unaware that their screen is being recorded.

The LianSpy operation

The LianSpy malware includes a wide range of powerful features and evasion mechanisms to hide on a device without detection.

Kaspersky says that when the malware is installed, it will post as an Android system service or the Alipay app.

Once launched, LianSpy requests screen overlay, notifications, contacts, call logs, and background activity permissions or grants them to itself automatically if it runs as a system app.

Next, it ensures it’s not running on an analyst’s environment (no debugger present) and loads its configuration from a Yandex Disk repository.

The configuration is stored locally in SharedPreferences, allowing it to persist between device reboots.

It determines which data to be targeted, the screenshot taking and data exfiltration time intervals, and for apps to trigger screen capturing for using the media projection API.

WhatsApp, Chrome, Telegram, Facebook, Instagram, Gmail, Skype, Vkontakte, Snapchat, and Discord are among the many supported for selective screen capturing, which minimizes the risk of detection.

Stolen data is stored in AES-encrypted form in an SQL table (‘Con001’) before it’s exfiltrated to Yandex Disk, requiring a private RSA key to read it, ensuring only the threat actor has access.

The malware does not receive commands or configuration updates but performs update checks regularly (every 30 seconds) to get new configuration settings. These settings are stored as substrings in the configuration data, which tell the malware what malicious activities should be performed on the infected device.

A list of substrings seen by Kaspersky are listed below:

One more stealth-boosting feature in LianSpy’s long list is the use of ‘NotificationListenerService’ to suppress notifications with key phrases such as “using battery” or “running in the background” from showing up.

Hardcoded phrases are included for both English and Russian, which indicates the target demographic.

However, Kaspersky says its telemetry data shows that the threat actors behind LianSpy are currently focusing on Russian targets.