New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

October 31, 2024 at 11:21AM

Researchers have identified an advanced iOS spyware, LightSpy, which enhances its capabilities and includes destructive functions that can render infected devices unbootable. First discovered in 2020, it captures sensitive data and utilizes various plugins. Suspected to be operated by Chinese attackers, it exploits known security vulnerabilities in Apple’s systems.

### Meeting Takeaways: LightSpy iOS Spyware

**Date:** October 31, 2024
**Attendee:** Ravie Lakshmanan

1. **Discovery of Improved Spyware:**
– Researchers identified an upgraded version of iOS spyware called LightSpy, which now includes destructive capabilities to prevent device booting.

2. **Technical Overview:**
– LightSpy differs from its macOS counterpart in post-exploitation and privilege escalation due to platform differences.
– First documented in 2020, it targets users mainly in Hong Kong with a modular, plugin-based design to enhance its functionality.

3. **Malware Distribution Mechanism:**
– Attack chains utilize known vulnerabilities in iOS and macOS to launch a WebKit exploit that drops what appears to be a PNG file but is actually a Mach-O binary that retrieves additional payloads through a memory corruption flaw (CVE-2020-3837).

4. **Enhanced Functionality:**
– The recent version (7.9.0) has increased its plugins from 12 to 28, allowing for extensive data capture including:
– Wi-Fi network info
– Screenshots
– Location tracking
– Access to iCloud Keychain, messaging apps, and browser history
– Sound recordings and media files

5. **Destructive Features:**
– New plugins can delete files and data, freeze devices, and generate fake push notifications.

6. **Distribution Methodology:**
– LightSpy is believed to be spread through watering hole attacks, with no known threat actor attributed yet.
– Evidence suggests operators may be based in China due to specific localization features in the software.

7. **Security Recommendations:**
– Emphasizes the need for keeping systems up to date as the threat actors actively exploit newly disclosed vulnerabilities.

### Next Steps:
– Monitor developments related to LightSpy and related security threats.
– Ensure all systems are updated to mitigate potential vulnerabilities.
– Share this information with relevant teams to enhance awareness and security measures.

Full Article