Security Experts:

Connect with us

Hi, what are you looking for?



Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

A recently observed campaign is attempting to infect the iPhones of users in Hong Kong with an iOS backdoor that allows attackers to take over devices, Trend Micro reports.

A recently observed campaign is attempting to infect the iPhones of users in Hong Kong with an iOS backdoor that allows attackers to take over devices, Trend Micro reports.

The attack involved the use of malicious links posted on forums popular in Hong Kong, which led users to real news sites where a hidden iframe would load and run malware. Vulnerabilities affecting iOS 12.1 and 12.2 devices have been exploited to load a new piece of spyware called lightSpy.

With support for shell commands and file manipulation, the malware would allow the attackers to spy on users and take full control of the infected devices.

Modular in nature, lightSpy allows for the exfiltration of connected WiFi history, contacts, GPS location, hardware information, iOS keychain, phone call history, Safari and Chrome browser history, SMS messages, and local network IP addresses.

The malware was also found to specifically target messenger applications such as Telegram, QQ, and WeChat.

Trent Micro’s security researchers also discovered similar attacks that targeted Android users in 2019, distributing malicious APKs through public Hong Kong-related Telegram channels. Referred to as dmsSpy, the Android malware would exfiltrate device information, contacts, and SMS messages.

The iOS campaign, which Trend Micro named Operation Poisoned News, appears designed to compromise a large number of devices for backdooring and surveillance purposes.

On February 19, the security researchers discovered a watering hole attack targeting iOS users with URLs leading to a malicious website featuring three iframes pointing to different sites. One of the iframes is visible and leads to a legitimate news site, another is used for website analytics, while the third led to a site hosting the main script of the iOS exploits.

Links were posted on forums popular with Hong Kong residents and which provide users with an app for easy visits on mobile devices. The lures used by the attackers were either sex-related, clickbait-type headlines, or news on the COVID-19 pandemic.

“We do not believe that these topics were targeted at any users specifically; instead they targeted the users of the sites as a whole,” Trend Micro says.

A second type of watering hole attack involved a copied legitimate site that was injected with an iframe. This attack appears to have started on January 2, but Trend Micro couldn’t establish where links to these websites were distributed.

The attacks continued into March 20, when forum posts claimed to link to a schedule for protests in Hong Kong, but led to the same lightSpy infection chain instead.

As part of the exploit chain, a silently patched Safari bug that does not have a CVE identifier was targeted, and a customized kernel exploit was employed to gain root privileges. The kernel flaw is related to CVE-2019-8605, which Apple addressed in the summer of 2019.

“Taken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much of what a user would consider confidential information. Several chat apps popular in the Hong Kong market were particularly targeted here, suggesting that these were the threat actor’s goals,” Trend Micro notes.

Related: iOS Version of Exodus Spyware Discovered in an Escalating Italian Spy Scandal

Related: Apple Patches Re-Introduced Jailbreak Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.