New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Researchers have unveiled an upgraded version of the iOS spyware known as LightSpy, enhancing its functionality and introducing destructive capabilities that can prevent infected devices from booting. Initially documented in 2020 and targeting users in Hong Kong, LightSpy operates on a modular implant architecture, allowing it to capture sensitive data through a range of plugins.

The malware distribution exploits vulnerabilities in both iOS and macOS using a WebKit exploit. This initiates the dropping of a file disguised as a “.PNG” but is actually a Mach-O binary. This binary retrieves subsequent payloads from a remote server, exploiting a memory corruption flaw tracked as CVE-2020-3837. A critical component of this attack chain is FrameworkLoader, which downloads LightSpy’s Core module and its expanded set of plugins, which have increased from 12 to 28 in the latest release (version 7.9.0).

Upon activation, LightSpy’s Core conducts an internet connectivity check via baidu.com, and scrutinizes the command-and-control data and working directory passed by FrameworkLoader. It establishes directories for logs, databases, and exfiltrated data in a designated path on the device.

The plugins within this spyware are capable of harvesting extensive information including Wi-Fi data, screenshots, geographic locations, iCloud Keychain content, audio recordings, photographs, browser histories, contacts, call logs, SMS messages, and data from various applications such as Files, LINE, and WhatsApp. Among the notable enhancements in the new version are plugins with the ability to delete essential data, including media files and contact information, and functionalities that can freeze devices, rendering them inoperable.

While the precise method of distribution for LightSpy remains ambiguous, it is suspected to employ watering hole attacks. Thus far, these campaigns have not been linked to any specific threat actor, although there are indications that the operators may be based in China. This suspicion is supported by the observation that the location plugin recalibrates coordinates using a system unique to Chinese services, namely the GCJ-02 coordinate system.

The analysis points out a critical lesson regarding the significance of maintaining updated systems. The LightSpy operators are vigilant in monitoring security research publications and are adept at reusing newly discovered exploits to enhance the delivery mechanisms and privilege escalation techniques employed against vulnerable devices.

The emergence of LightSpy underscores ongoing challenges in mobile security, especially against sophisticated spyware that not only aims to collect sensitive information but also introduces alarming capabilities for data destruction and device immobilization.