The latest LightSpy spyware variant could infect iPhones

November 14, 2024
LightSpy Spyware iPhones iOS Hackers Apple macOS

A new version of the LightSpy spyware can target Apple products, especially iPhones. Based on reports, this Apple iOS spyware expands its functionality and includes new capabilities to prevent the infiltrated device from starting.

The researchers explained that the new variant’s iOS implant delivery mechanism is similar to the macOS version’s, but due to platform differences, the post-exploitation and privilege escalation steps have improved dramatically.

This spyware initially emerged in 2020 after targeting numerous individuals in Hong Kong. It is a modular implant that uses a plugin-based architecture to expand its capabilities and acquire various sensitive data from an infected device.

The malware’s distribution tactic commonly leverages known security vulnerabilities in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension “.PNG.” Still, it is a Mach-O binary responsible for recovering next-stage payloads from a remote server by exploiting a memory corruption bug.

The recovered payloads include FrameworkLoader, a component that downloads LightSpy’s Core module and various plugins. The number of payloads increased from 12 to 28 in the most recent version (7.9.0).

 

The LightSpy spyware infection process uses a sophisticated method to compromise targeted devices.

 

According to investigations, the LightSpy spyware campaign executes a complex strategy for targeting iOS devices. The Core will check Internet connectivity using the Baidu.com domain after booting up.

Subsequently, it is followed by a check of the arguments given by FrameworkLoader, such as the C2 data and working directory. The Core will generate subfolders for logs, databases, and exfiltrated data under the working directory path /var/containers/Bundle/AppleAppLit/.

The plugins can collect data from various apps, including Telegram, Tencent QQ, WeChat, Files, LINE, Mail Master, and WhatsApp.

Some new plugins include destructive functions that can erase media files, contacts, SMS messages, Wi-Fi network configuration profiles, and browsing history, freeze the device, and prevent it from restarting.

LightSpy plugins can generate fake push notifications with a specific URL. The spyware’s distribution method is still a mystery. However, the researchers claim its operators execute it through watering hole attacks.

No known threat actor or cybercriminal group has claimed responsibility for the campaigns.

About the author

Leave a Reply