Researchers Uncover Communication Between Android Spyware Dragonegg and iOS Surveillance Tool Lightspy
Researchers recently revealed communication between Dragonegg, a spying software for Android, and Lightspy, a modular tool for surveillance in the iOS system[1]. The first data on DragoneGG, which is associated with the Chinese APT41 group, was introduced by Lookout in July 2023. Around the same time, WYRMSPY, also known as AndroidControl, another spy software, was discovered[2].
Lightspy, as the cybersecurity community learned in March 2020 as part of the Operation PoisONed News campaign, targeted iPhone users in Hong Kong[3].
The tactics used by the hackers were described by Mobile Security researchers from the Dutch company Threatfabric. The first step involves the user installing a trojanized version of Telegram on their device. This version is designed to load secondary harmful code (Smallmload.jar), which further activates another component called Core[4].
Analysis of Lightspy showed that it has been regularly updated since December 11, 2018, with the latest update being noted on July 13, 2023[5]. Lightspy’s main module, believed to be DragoneGG, is responsible for coordinating processes. Its tasks include collecting information about the device, establishing communication with a remote server, waiting for further directives, and self-imprisonment. The program processes commands via WebSocket and transmits data via https[6].
Further investigation into Lightspy revealed several more modules, including tools for tracking the geolocation of the device, recording surrounding sounds, and monitoring conversations on WeChat. There is also a function that collects the history of payments made through WeChat Pay[7].
Lightspy’s management and control servers are located in various regions such as China, Hong Kong, Taiwan, and Singapore. It is interesting to note that Lightspy and WyrmSpy share the same infrastructure[8]. Researchers discovered 13 unique numbers belonging to Chinese mobile operators on