LightSpy has been executed in targeted attacks, it uses watering hole techniques and exploit-based delivery, coupled with an infrastructure that swiftly escapes detection. LightSpy was first reported in 2020, targeting users in Hong Kong.
History of LightSpy
LightSpy has been historically famous for attacking messaging apps like WeChat, Telegram, QQ, Line, and WhatsApp throughout different OS. According to ThreatFabric report, the framework can extract payment data from WeChat, remove contacts, wipe out messaging history, and alot of other things.
The compromised things include WiFi network details, iCloud Keychain, screenshots, location, browser history, photos, call history, and SMS texts.
Regarding server analysis, the LightSpy researcher said they "share similarities with prior malicious infrastructure but introduce notable differences in the command list."
Further, "the servers analyzed in this research As previously observed, the cmd_list endpoint is at /ujmfanncy76211/front_api. Another endpoint, command_list, also exists but requires authentication, preventing direct analysis."
LightSpy Capabilities
In 2024, ThreatFabric reported about an updated malware version that has destructive capability to stop compromised device from booting up, in addition to the number of supported plugins from 12 to 28.
Earlier research has disclosed potential overlaps between an Android malware called "DragonEgg" and LightSpy, showing the threat's cross-platform nature.
Hunt.io's recent analysis study of the malicious command-and-control (C2) infrastructure linked with the spyware has found support for more than 100 commands spread across iOS, macOS, Linux, routers, and Windows.
Expert insights
Commenting on the overall impact of the malware, Hunt.io experts believe “LightSpy's infrastructure reveals previously unreported components and administrative functionality.” However, the experts remain unsure if it symbolizes new growths or earlier versions not publicly reported. “Command set modifications and Windows-targeted plugins suggest that operators continue to refine their data collection and surveillance approach across multiple platforms,” concludes
To stay safe, experts suggest users to:
Limit app permissions to avoid unwanted access to important data. “On Android, use Privacy Dashboard to review and revoke permissions; on iOS, enable App Privacy Reports to monitor background data access.”
Turn on advanced device security features that restrict the exploitability of devices. iOS users can enable Lockdown Mode and Android users can turn on Enhanced Google Play Protect and use protection features to identify and block suspicious activities.
