Researchers from Threatfabric revealed an upgraded version of the iOS spyware Lightspy, which now includes destructive capabilities in addition to expanded functions. This new version of Lightspy targets vulnerabilities specific to iOS, even though it shares similar delivery methods to MacOS malware.
Originally discovered in 2020 targeting users in Hong Kong, Lightspy operates using a modular architecture that allows for extensive data collection from infected devices. The malware spreads through vulnerabilities in both iOS and MacOS, utilizing a Webkit exploit to initiate the download of a hidden Mach-O binary code disguised as a “png” file, which then fetches additional malicious components from a remote server.
The core component of Lightspy, known as Frameworkloader, loads the spyware nucleus along with a suite of 28 plugins (an increase from 12 in the previous version). Once activated, Lightspy establishes an Internet connection and sends data through the Baidu [.] Com domain, creating a storage directory for logs and extracted data.
Lightspy’s plugins have extensive capabilities for data collection, ranging from Wi-Fi network information, screenshots, geolocation, ICLOUD KEYCHAIN, audio recordings, photos, browser history, contacts, call logs, and SMS messages. Additionally, the plugins can extract data from popular messaging apps like Line, Telegram, WeChat, and WhatsApp.
The new version of Lightspy introduces destructive functions, allowing for the deletion of media files, contacts, messages, and Wi-Fi configurations. Some plugins can even completely freeze the infected device, rendering it unusable. Moreover, the spyware can send fake push notifications with deceptive links that direct users to malicious sites.
Although the exact methods of Lightspy’s distribution remain unclear, it is speculated that the malware employs a tactic involving the compromise of popular sites frequented by a specific target audience. By injecting malicious code into these sites, the hacker can infect the devices of visitors who unknowingly access the compromised content. This strategy is commonly used for spreading malware, conducting espionage, or stealing data from a select group of victims.