Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

A recently observed campaign is attempting to infect the iPhones of users in Hong Kong with an iOS backdoor that allows attackers to take over devices, Trend Micro reports.

The attack involved the use of malicious links posted on forums popular in Hong Kong, which led users to real news sites where a hidden iframe would load and run malware. Vulnerabilities affecting iOS 12.1 and 12.2 devices have been exploited to load a new piece of spyware called lightSpy.

With support for shell commands and file manipulation, the malware would allow the attackers to spy on users and take full control of the infected devices.

Modular in nature, lightSpy allows for the exfiltration of connected WiFi history, contacts, GPS location, hardware information, iOS keychain, phone call history, Safari and Chrome browser history, SMS messages, and local network IP addresses.

The malware was also found to specifically target messenger applications such as Telegram, QQ, and WeChat.

Trent Micro’s security researchers also discovered similar attacks that targeted Android users in 2019, distributing malicious APKs through public Hong Kong-related Telegram channels. Referred to as dmsSpy, the Android malware would exfiltrate device information, contacts, and SMS messages.

The iOS campaign, which Trend Micro named Operation Poisoned News, appears designed to compromise a large number of devices for backdooring and surveillance purposes.

On February 19, the security researchers discovered a watering hole attack targeting iOS users with URLs leading to a malicious website featuring three iframes pointing to different sites. One of the iframes is visible and leads to a legitimate news site, another is used for website analytics, while the third led to a site hosting the main script of the iOS exploits.

Links were posted on forums popular with Hong Kong residents and which provide users with an app for easy visits on mobile devices. The lures used by the attackers were either sex-related, clickbait-type headlines, or news on the COVID-19 pandemic.

“We do not believe that these topics were targeted at any users specifically; instead they targeted the users of the sites as a whole,” Trend Micro says.

A second type of watering hole attack involved a copied legitimate site that was injected with an iframe. This attack appears to have started on January 2, but Trend Micro couldn’t establish where links to these websites were distributed.

The attacks continued into March 20, when forum posts claimed to link to a schedule for protests in Hong Kong, but led to the same lightSpy infection chain instead.

As part of the exploit chain, a silently patched Safari bug that does not have a CVE identifier was targeted, and a customized kernel exploit was employed to gain root privileges. The kernel flaw is related to CVE-2019-8605, which Apple addressed in the summer of 2019.

“Taken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much of what a user would consider confidential information. Several chat apps popular in the Hong Kong market were particularly targeted here, suggesting that these were the threat actor’s goals,” Trend Micro notes.

Related: iOS Version of Exodus Spyware Discovered in an Escalating Italian Spy Scandal

Related: Apple Patches Re-Introduced Jailbreak Vulnerability