It has been discovered that a newer version of LightSpy spyware, commonly used to target iOS devices, has been enhanced with the capability to compromise the security and stability of the device.
LightSpy for macOS was first discovered by ThreatFabric, which published a report in May 2024 in which they described their findings with the malware.
After a thorough investigation of the LightSpy client and server systems, the analysts discovered that they were using the same server to manage both the macOS and iOS versions of the program.
IPhones are undeniably more secure than Android devices, however, Google has been making constant efforts to close the gap, so Apple devices are not immune to attacks.
The fact that Apple now regularly alerts consumers when the company detects an attack, the fact that a new cyber report just released recently warns that iPhones are under attack from hackers who are equipped with enhanced cyber tools, and the fact that "rebooting an Apple device regularly is a good practice for Apple device owners" is a better practice.
LightSpy is a program that many users are familiar with. Several security firms have reported that this spyware has already been identified on multiple occasions.
The spyware attacks iOS, macOS, and Android devices at the same time. In any case, it has resurfaced in the headlines again, and ThreatFabric reports that it has been improved greatly. Among other things, the toolset has increased considerably from 12 to 28 plugins - notably, seven of these plugins are destructive, allowing them to interfere with the device's boot process adversely.
The malware is being distributed by attack chains utilizing known security flaws in Apple iOS and macOS as a means of triggering a WebKit exploit.
A file with an extension ".PNG" is dropped by this exploit, but this file, in fact, is a Mach-O binary that exploits a memory corruption flaw known as CVE-2020-3837 to retrieve next-stage payloads from a remote server.
LightSpy comes with a component called FrameworkLoader, which in turn downloads the application's main module, the Core module, and the available plugins, which have increased from 12 to 28 since LightSpy 7.9.0 was released.
The Dutch security company reports that after the Core starts up, it will perform an Internet connectivity check using Baidu.com domains and, upon checking those arguments, the arguments will be compared against those passed from FrameworkLoader, which will be used to determine the [command-and-control] data and working directory," the security company stated.
This means that the Core will create subfolders for log files, databases, and exfiltrated data using the /var/containers/Bundle/AppleAppLit/working directory path.
This plugin can collect a wide range of data, including Wi-Fi information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages. Additionally, these plugins can be used to gather information from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well.
In the latest version of LightSpy (7.9.0), a component called FrameworkLoader is responsible for downloading and installing LightSpy's Core module and its various plugins, which has increased in number from 12 to 28 in the most recent version.
Upon Core's startup, it will query the Baidu.com domain for Internet connectivity before examining the arguments provided by FrameworkLoader as the working directory and command-and-control data to determine whether it can establish Internet connectivity. In the Core, subfolders for logs, databases, and exfiltrated data are made using the working directory path /var/containers/Bundle/AppleAppLit/ as a default path.
Among the many details that the plugins can collect are information about Wi-Fi networks, screenshots, locations, iCloud Keychain, sound recordings, images, contacts, call history, and SMS messages, just to mention a few. The apps can also be configured to collect data from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well as from search engines. It should be noted that some of the recent additions to Google Chrome include some potentially damaging features that can erase contacts, media files, SMS messages, Wi-Fi settings profiles, and browsing history in addition to wiping contacts and media files.
In some cases, these plugins are even capable of freezing the device and preventing it from starting up again once it is frozen. It has also been discovered that some LightSpy plugins can be used to create phony push alerts with a different URL embedded within them.
Upon analyzing the C2 logs, it was found that 15 devices were infected, out of which eight were iOS devices.
Researchers suspect that most of these devices are intentionally spreading malware from China or Hong Kong, and frequently connect to a special Wi-Fi network called Haso_618_5G, which resembles a test network and seems to originate from China or Hong Kong.
It was also discovered during ThreatFabric's investigation that Light Spy contains a unique plugin for recalculating location data specific to Chinese systems, suggesting that the spyware's developers may live in China, as the information it contains appears to have been obtained from Chinese sources.
LightSpy's operators heavily rely on "one-day exploits," and consequently they take advantage of vulnerabilities as soon as they become public information.
Using ThreatFabric's recommendation as a guide to iOS users, they are advised to reboot their iOS devices regularly since LightSpy, since it relies on a "rootless jailbreak," can not survive a reboot, giving users a simple, but effective, means to disrupt persistent spyware infections on their devices.
As the researchers say, "The LightSpy iOS case illustrates the importance of keeping system updates current," and advise users to do just that. "Terrorists behind the LightSpy attack monitor security researchers' publications closely, using exploits that have recently been reported by security researchers as a means of delivering payloads and escalating their privileges on affected devices."
Most likely, the infection takes place through the use of lures, which lead to infected websites used by the intended victim groups, i.e. so-called watering holes on the Internet.
For users concerned about potential vulnerability to such attacks, ThreatFabric advises a regular reboot if their iOS is not up-to-date. Although rebooting will not prevent the spyware from re-infecting the device, it can reduce the amount of data attackers can extract. Keeping the device restarted regularly provides an additional layer of defence by temporarily disrupting spyware's ability to persistently gather sensitive information.