A recent iOS-targeting version of the LightSpy malware includes over a dozen new plugins, many with destructive capabilities, according to cybersecurity firm ThreatFabric.
The LightSpy malware came to light in 2020, after it was observed targeting the iPhones of users in Hong Kong. Threat actors had been attempting to take over devices and steal data using the malware.
The attackers at the time had exploited iOS vulnerabilities to deliver the spyware and collect a wide range of information from compromised devices, including location, call and browser history, messages, and passwords.
More recent research led to the discovery of Android and macOS versions of LightSpy as well.
Earlier this year, BlackBerry reported seeing LightSpy mobile espionage campaigns aimed at users in South Asia, with evidence suggesting that India was likely targeted. BlackBerry found evidence indicating that LightSpy may be the work of a state-sponsored group of Chinese origin.
ThreatFabric earlier this year came across a newer version of LightSpy for iOS and determined that — in addition to updates made to the core of the malware — the number of plugins it uses to perform various tasks has increased from 12 to 28. The company disclosed its findings on Tuesday.
The company’s researchers found that the malware is now capable of targeting newer versions of iOS — up to iOS 13.3 — compared to the previously seen LightSpy. The new LightSpy for iOS exploits CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.
The exploit is likely delivered through malicious websites that exploit CVE-2020-9802, a remote code execution vulnerability in Safari. The exploit chain then involves a jailbreak stage, a loader stage, and the delivery of the malware core.
“During our analysis, we discovered that the threat actor continued to rely on publicly available exploits and jailbreak kits to gain access to devices and escalate privileges. We believe this threat actor is also deeply involved with jailbreak code integration within the spyware’s structure, which supports its modular architecture,” ThreatFabric noted.
The security firm noted that the jailbreak used by the hackers does not survive a device reboot — regularly rebooting a device is recommended for iPhone owners — but it also does not guarantee that the device won’t be reinfected.
The malware core can download up to 28 plugins that can be used to delete files, take photos, record sounds, and capture screenshots, as well as to exfiltrate contacts, call and browser history, and messages (SMS, email and messaging app).
ThreatFabric has also identified several previously unseen plugins that have destructive capabilities.
The LightSpy for iOS malware can now prevent the device from booting, it can wipe browser history, delete specified contacts, freeze the device, delete media files, delete SMS messages selected by the attacker, and remove Wi-Fi network configuration profiles.
“[The destructive capabilities suggest] that the threat actors valued the ability to erase attack traces from the device,” the security firm said.
ThreatFabric’s latest blog post confirms previous reports that LightSpy operators are likely based in China.
Related: iOS Trojan Collects Face and Other Data for Bank Account Hacking
Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware
Related: Predator Spyware Resurfaces With Fresh Infrastructure
