• Posted by: Michael Johnson
• November 01, 2024

Enhanced iOS Spyware "LightSpy" Gains Destructive Capabilities

Cybersecurity researchers have identified an advanced version of the iOS spyware known as LightSpy, which has been updated to include destructive capabilities that prevent affected devices from booting up. This enhanced variant not only expands its data-gathering functionality but also includes harmful elements designed to disrupt device functionality.

According to a recent analysis by ThreatFabric, "While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences."

Originally discovered in 2020 and primarily targeting users in Hong Kong, LightSpy is a modular spyware tool. It employs a plugin-based structure, allowing it to access a broad array of sensitive information from compromised devices. The attack chain exploits known vulnerabilities in Apple iOS and macOS, triggering a WebKit exploit that downloads a deceptive .PNG file. This file, which is actually a Mach-O binary, exploits a memory corruption flaw (CVE-2020-3837) to download additional payloads from a remote server.

One core component, FrameworkLoader, downloads the LightSpy Core module, which has grown from 12 to 28 plugins in the latest version (7.9.0). Once activated, the Core module performs a connectivity check using Baidu.com, processes command-and-control data, and sets up directories for logs, databases, and exfiltrated data within /var/containers/Bundle/AppleAppLit/.

The plugins gather extensive information, such as Wi-Fi details, screenshots, location data, iCloud Keychain contents, sound recordings, photos, browser history, contacts, call logs, SMS messages, and app data from services like LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. Some newly added plugins introduce destructive functions, such as deleting media files, SMS messages, Wi-Fi profiles, contacts, and browser history. They can even freeze the device, rendering it unusable.

Another feature of LightSpy allows it to push fake notifications with specific URLs to mislead users. While the exact delivery method remains unknown, the spyware is suspected to use watering hole attacks, though no specific group has been connected to the campaign. Indicators suggest the operators may be based in China, as the location plugin recalculates coordinates using the GCJ-02 system—a format unique to Chinese map services.

"The LightSpy iOS case highlights the importance of keeping systems up to date," noted ThreatFabric. "The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices."