Security Experts:

Connect with us

Hi, what are you looking for?



Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

A recently observed campaign is attempting to infect the iPhones of users in Hong Kong with an iOS backdoor that allows attackers to take over devices, Trend Micro reports.

A recently observed campaign is attempting to infect the iPhones of users in Hong Kong with an iOS backdoor that allows attackers to take over devices, Trend Micro reports.

The attack involved the use of malicious links posted on forums popular in Hong Kong, which led users to real news sites where a hidden iframe would load and run malware. Vulnerabilities affecting iOS 12.1 and 12.2 devices have been exploited to load a new piece of spyware called lightSpy.

With support for shell commands and file manipulation, the malware would allow the attackers to spy on users and take full control of the infected devices.

Modular in nature, lightSpy allows for the exfiltration of connected WiFi history, contacts, GPS location, hardware information, iOS keychain, phone call history, Safari and Chrome browser history, SMS messages, and local network IP addresses.

The malware was also found to specifically target messenger applications such as Telegram, QQ, and WeChat.

Trent Micro’s security researchers also discovered similar attacks that targeted Android users in 2019, distributing malicious APKs through public Hong Kong-related Telegram channels. Referred to as dmsSpy, the Android malware would exfiltrate device information, contacts, and SMS messages.

The iOS campaign, which Trend Micro named Operation Poisoned News, appears designed to compromise a large number of devices for backdooring and surveillance purposes.

On February 19, the security researchers discovered a watering hole attack targeting iOS users with URLs leading to a malicious website featuring three iframes pointing to different sites. One of the iframes is visible and leads to a legitimate news site, another is used for website analytics, while the third led to a site hosting the main script of the iOS exploits.

Links were posted on forums popular with Hong Kong residents and which provide users with an app for easy visits on mobile devices. The lures used by the attackers were either sex-related, clickbait-type headlines, or news on the COVID-19 pandemic.

“We do not believe that these topics were targeted at any users specifically; instead they targeted the users of the sites as a whole,” Trend Micro says.

A second type of watering hole attack involved a copied legitimate site that was injected with an iframe. This attack appears to have started on January 2, but Trend Micro couldn’t establish where links to these websites were distributed.

The attacks continued into March 20, when forum posts claimed to link to a schedule for protests in Hong Kong, but led to the same lightSpy infection chain instead.

As part of the exploit chain, a silently patched Safari bug that does not have a CVE identifier was targeted, and a customized kernel exploit was employed to gain root privileges. The kernel flaw is related to CVE-2019-8605, which Apple addressed in the summer of 2019.

“Taken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much of what a user would consider confidential information. Several chat apps popular in the Hong Kong market were particularly targeted here, suggesting that these were the threat actor’s goals,” Trend Micro notes.

Related: iOS Version of Exodus Spyware Discovered in an Escalating Italian Spy Scandal

Related: Apple Patches Re-Introduced Jailbreak Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...