Recent Discovery of State-Sponsored Mobile Spyware Campaign Targeting Android Users

A newly discovered mobile spyware tool, known as LianSpy, has been used by an unknown, likely state-sponsored threat actor to spy on Android smartphone users for at least three years, according to researchers at Kaspersky. The campaign, which has primarily targeted individuals in Russia, could easily be applied in other regions as well.

LianSpy is a post-exploitation Trojan that either exploits vulnerabilities to root Android devices or modifies firmware by gaining physical access to victims’ devices. The threat actor behind LianSpy has been distributing the malware disguised as system and financial applications.

Unlike some zero-click spyware tools, LianSpy requires user interaction to function to a certain extent. Once launched, the malware requests necessary permissions from the user and registers an Android Broadcast Receiver to monitor system events. It also uses super user binary with a modified name to gain root access on victim devices and operates stealthily in the background.

LianSpy’s primary purpose is to monitor user activity by intercepting call logs, recording device screens during messaging, and listing installed apps. The threat actor stores stolen data and issues configuration commands using public cloud platforms like Yandex Disk. The malware uses root privileges discreetly to avoid detection by security solutions and encrypts data for exfiltration, making victim identification impossible.

Kaspersky researchers warn that LianSpy’s focus on capturing instant message content indicates a targeted data-gathering operation beyond standard espionage tactics. The ongoing use of mobile spyware tools like LianSpy raises concerns about privacy and security for smartphone users worldwide.