Mobile & Wireless

Recent Version of LightSpy iOS Malware Packs Destructive Capabilities

A newer version of the LightSpy malware for iOS includes over a dozen new plugins, many with destructive capabilities.

Matrix encrypted messaging service hacked

A recent iOS-targeting version of the LightSpy malware includes over a dozen new plugins, many with destructive capabilities, according to cybersecurity firm ThreatFabric.

The LightSpy malware came to light in 2020, after it was observed targeting the iPhones of users in Hong Kong. Threat actors had been attempting to take over devices and steal data using the malware.

The attackers at the time had exploited iOS vulnerabilities to deliver the spyware and collect a wide range of information from compromised devices, including location, call and browser history, messages, and passwords.

More recent research led to the discovery of Android and macOS versions of LightSpy as well. 

Earlier this year, BlackBerry reported seeing LightSpy mobile espionage campaigns aimed at users in South Asia, with evidence suggesting that India was likely targeted. BlackBerry found evidence indicating that LightSpy may be the work of a state-sponsored group of Chinese origin.

ThreatFabric earlier this year came across a newer version of LightSpy for iOS and determined that — in addition to updates made to the core of the malware — the number of plugins it uses to perform various tasks has increased from 12 to 28. The company disclosed its findings on Tuesday.

The company’s researchers found that the malware is now capable of targeting newer versions of iOS — up to iOS 13.3 — compared to the previously seen LightSpy. The new LightSpy for iOS exploits CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.

The exploit is likely delivered through malicious websites that exploit CVE-2020-9802, a remote code execution vulnerability in Safari. The exploit chain then involves a jailbreak stage, a loader stage, and the delivery of the malware core. 

Advertisement. Scroll to continue reading.

“During our analysis, we discovered that the threat actor continued to rely on publicly available exploits and jailbreak kits to gain access to devices and escalate privileges. We believe this threat actor is also deeply involved with jailbreak code integration within the spyware’s structure, which supports its modular architecture,” ThreatFabric noted.

The security firm noted that the jailbreak used by the hackers does not survive a device reboot — regularly rebooting a device is recommended for iPhone owners — but it also does not guarantee that the device won’t be reinfected. 

The malware core can download up to 28 plugins that can be used to delete files, take photos, record sounds, and capture screenshots, as well as to exfiltrate contacts, call and browser history, and messages (SMS, email and messaging app).

ThreatFabric has also identified several previously unseen plugins that have destructive capabilities. 

The LightSpy for iOS malware can now prevent the device from booting, it can wipe browser history, delete specified contacts, freeze the device, delete media files, delete SMS messages selected by the attacker, and remove Wi-Fi network configuration profiles. 

“[The destructive capabilities suggest] that the threat actors valued the ability to erase attack traces from the device,” the security firm said.

ThreatFabric’s latest blog post confirms previous reports that LightSpy operators are likely based in China. 

Related: iOS Trojan Collects Face and Other Data for Bank Account Hacking 

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware

Related: Predator Spyware Resurfaces With Fresh Infrastructure

Related Content

Mobile & Wireless

A Thai court dismissed a lawsuit brought by Jatupat Boonpattararaksa which alleged spyware made by NSO Group was used to hack his phone.

Malware & Threats

The Chinese APT behind the LightSpy iOS backdoor has expanded its toolset with DeepData, a modular Windows-based surveillance framework.

Tracking & Law Enforcement

Sanctions target five individuals linked to Intellexa Consortium as the US government expands its crackdown on commercial spyware merchants.

Nation-State

Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions.

Malware & Threats

Five Android applications containing the Mandrake spyware have been downloaded over 32,000 times from Google Play since 2022.

Tracking & Law Enforcement

The judge with Spain’s National Court said there is reason to believe that the new information provided by France can “allow the investigations to...

Malware & Threats

Chinese hackers use Android and iOS trojans to obtain information needed to steal money from victims’ bank accounts.

Government

More than 60 of the Adobe, Google, Android, Microsoft, Mozilla and Apple zero-days that have come to light since 2016 attributed to spyware vendors. 

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version