A recent version of the LightSpy malware targeting iOS has been reported to include over a dozen new plugins, significantly increasing its destructive capabilities. Discovered by the cybersecurity firm ThreatFabric, this version builds upon the malware’s initial discovery in 2020 when it was linked to data theft from iPhone users in Hong Kong.
The malware previously exploited iOS vulnerabilities to take control of devices and steal a variety of sensitive information, including location data, call and browser history, messages, and passwords. The new research also indicates that LightSpy has expanded its reach, with variants identified for Android and macOS systems. ThreatFabric’s analysis reveals that the updated iOS version of LightSpy has increased its plugin count from 12 to 28, enabling it to perform more extensive malicious activities.
This new iteration targets iOS versions up to 13.3 and leverages two specific vulnerabilities: CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation. The initial exploit typically occurs through malicious websites that exploit the Safari browser vulnerability, initiating a complex process that includes a jailbreak stage, loader stage, and the deployment of the malware’s core functionality.
The capabilities of the LightSpy malware have also evolved significantly. In addition to stealing sensitive information, the malware can now execute destructive actions such as preventing devices from booting, deleting browser history, and removing specified contacts and media files. This escalation in destructive potential indicates that the threat actors prioritize erasing traces of their activities on compromised devices. Although the jailbreak used by the malware does not survive device reboots—prompting a regular reboot as a recommended security measure—it does not ensure protection against reinfection.
Further investigations by ThreatFabric have linked the operators of LightSpy to a state-sponsored group, likely of Chinese origin. The malware’s reliance on publicly available exploits and jailbreak kits showcases the attackers’ advanced understanding of device vulnerabilities and modular architecture. This heightened sophistication in the LightSpy malware emphasizes the continuous threat posed by these cybercriminals, who remain capable of adapting their tactics to infiltrate systems and extract valuable data while evading detection.
Reference:
