Researchers have identified a more sophisticated version of the LightSpy spyware targeting Apple iOS devices, now equipped with expanded surveillance features and even destructive capabilities that can render a device unbootable.
This latest iteration builds on its original modular structure, incorporating multiple plugins that enable the collection of extensive sensitive data.
The deployment of LightSpy on iOS mirrors its delivery method on macOS, though the subsequent privilege escalation stages differ due to platform-specific factors, according to an analysis released this week.
Originally documented in 2020, LightSpy was known for targeting users in Hong Kong. The spyware uses a plugin-based architecture, allowing it to stealthily capture a broad array of sensitive information from infected devices.
The LightSpy infection process starts with an exploit chain that leverages known vulnerabilities in Apple’s WebKit, the browser engine used in Safari. By exploiting memory corruption flaws like CVE-2020-3837, LightSpy installs a malicious “.PNG” file (actually a Mach-O binary) that retrieves additional payloads from a remote server.
The primary component, FrameworkLoader, then downloads the main Core module and its associated plugins, which have increased in number from 12 to 28 in the newest version (7.9.0).
Once active, the Core module checks for Internet connectivity by pinging Baidu.com and processes command-and-control (C2) data to establish working directories. Within these directories, LightSpy sets up subfolders to store logs, databases, and stolen data.
The extensive range of plugins in LightSpy allows it to track almost every aspect of a device’s usage. This includes Wi-Fi details, screenshots, GPS locations, iCloud Keychain data, audio recordings, images, browsing history, and messages.
LightSpy even collects information from applications like LINE, Telegram, WeChat, WhatsApp, and QQ. Newly added plugins offer destructive functions, enabling the spyware to delete data, remove Wi-Fi profiles, erase call history, and even freeze the device, preventing it from rebooting. In addition, it can issue fake push notifications to direct users to specific URLs.
While the exact delivery method of this spyware remains unclear, researchers suspect it may be spread through watering hole attacks. No particular threat actor has been conclusively tied to the LightSpy campaign, although there is some indication that the operators may be based in China.
This hypothesis arises from a unique feature in the location plugin that recalculates coordinates to align with GCJ-02, a coordinate system used exclusively in China.
The LightSpy iOS campaign underscores the need for regular system updates. The spyware operators closely follow security announcements to incorporate the latest disclosed exploits, allowing them to gain privileged access to vulnerable devices.
To reduce the risk of infection from sophisticated spyware like LightSpy, iPhone users should consistently update their devices to the latest iOS versions, as updates often contain essential security patches.
Installing apps only from trusted sources, avoiding suspicious links, and maintaining awareness of device behavior can also help detect potential threats. For additional protection, consider using security solutions that detect and alert against unusual app behavior or unauthorized access.