Now on Demand: CISO Forum Virtual Summit - All Sessions Available to Watch Instantly
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Recent Version of LightSpy iOS Malware Packs Destructive Capabilities

A newer version of the LightSpy malware for iOS includes over a dozen new plugins, many with destructive capabilities.

LightSpy iOS malware

A recent iOS-targeting version of the LightSpy malware includes over a dozen new plugins, many with destructive capabilities, according to cybersecurity firm ThreatFabric.

The LightSpy malware came to light in 2020, after it was observed targeting the iPhones of users in Hong Kong. Threat actors had been attempting to take over devices and steal data using the malware.

The attackers at the time had exploited iOS vulnerabilities to deliver the spyware and collect a wide range of information from compromised devices, including location, call and browser history, messages, and passwords.

More recent research led to the discovery of Android and macOS versions of LightSpy as well. 

Earlier this year, BlackBerry reported seeing LightSpy mobile espionage campaigns aimed at users in South Asia, with evidence suggesting that India was likely targeted. BlackBerry found evidence indicating that LightSpy may be the work of a state-sponsored group of Chinese origin.

ThreatFabric earlier this year came across a newer version of LightSpy for iOS and determined that — in addition to updates made to the core of the malware — the number of plugins it uses to perform various tasks has increased from 12 to 28. The company disclosed its findings on Tuesday.

The company’s researchers found that the malware is now capable of targeting newer versions of iOS — up to iOS 13.3 — compared to the previously seen LightSpy. The new LightSpy for iOS exploits CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.

The exploit is likely delivered through malicious websites that exploit CVE-2020-9802, a remote code execution vulnerability in Safari. The exploit chain then involves a jailbreak stage, a loader stage, and the delivery of the malware core. 

Advertisement. Scroll to continue reading.

“During our analysis, we discovered that the threat actor continued to rely on publicly available exploits and jailbreak kits to gain access to devices and escalate privileges. We believe this threat actor is also deeply involved with jailbreak code integration within the spyware’s structure, which supports its modular architecture,” ThreatFabric noted.

The security firm noted that the jailbreak used by the hackers does not survive a device reboot — regularly rebooting a device is recommended for iPhone owners — but it also does not guarantee that the device won’t be reinfected. 

The malware core can download up to 28 plugins that can be used to delete files, take photos, record sounds, and capture screenshots, as well as to exfiltrate contacts, call and browser history, and messages (SMS, email and messaging app).

ThreatFabric has also identified several previously unseen plugins that have destructive capabilities. 

The LightSpy for iOS malware can now prevent the device from booting, it can wipe browser history, delete specified contacts, freeze the device, delete media files, delete SMS messages selected by the attacker, and remove Wi-Fi network configuration profiles. 

“[The destructive capabilities suggest] that the threat actors valued the ability to erase attack traces from the device,” the security firm said.

ThreatFabric’s latest blog post confirms previous reports that LightSpy operators are likely based in China. 

Related: iOS Trojan Collects Face and Other Data for Bank Account Hacking 

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware

Related: Predator Spyware Resurfaces With Fresh Infrastructure

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.