Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features

October 31, 2024

Cybersecurity experts have uncovered an enhanced version of an Apple iOS spyware known as LightSpy. This new version not only broadens its functionality, but also includes destructive features that can inhibit the compromised device from rebooting. "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences," according to an analysis conducted by ThreatFabric.

LightSpy, which was first identified in 2020 targeting Hong Kong users, is a modular implant that uses a plugin-based architecture to extend its capabilities. This allows it to capture a wide array of sensitive data from the compromised device. The distribution of the malware harnesses known security vulnerabilities in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension ".PNG," which is actually a Mach-O binary. This binary is responsible for retrieving the next-stage payloads from a remote server by exploiting a memory corruption flaw tracked as CVE-2020-3837.

The malware includes a component called FrameworkLoader that downloads LightSpy's Core module and its various plugins, the number of which has increased from 12 to 28 in the latest version (7.9.0). "After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the [command-and-control] data and working directory," stated the Dutch security company.

The plugins have the ability to capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages. It can also extract information from various apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. Some of the newly added plugins also have destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and can even freeze the device and prevent it from starting again.

The exact distribution method for the spyware is unclear, although it's believed to be delivered through watering hole attacks. The campaigns have not been attributed to a known threat actor or group yet. However, there is some evidence suggesting the operators are likely based in China, as the location plugin "recalculates location coordinates according to a system used exclusively in China." It's important to note that Chinese map service providers use a coordinate system called GCJ-02.

"The LightSpy iOS case underscores the importance of keeping systems up to date," ThreatFabric said. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."

Latest News

• Google Addresses Critical Vulnerability in Chrome Browser
• Persistent Windows Vulnerability Could Leak User Credentials: Zero-Day Exploit Allows NTLM Hash Theft
• Unofficial Patches Released for New Windows Themes Zero-Day Exploit
• Multiple Security Flaws Uncovered in Open-Source AI and ML Models
• ChatGPT Vulnerable to Hex Code Manipulation: Mozilla Report