Cybersecurity researchers have discovered an updated version of the LightSpy iOS spyware that not only expands its surveillance capabilities but also incorporates destructive features to prevent the infected device from booting up. The malware targets sensitive information on iPhones, including Wi-Fi networks, location data, and app data, and can even delete files and freeze the device.
LightSpy, first identified in 2020 targeting Hong Kong users, is a modular implant with a plugin-based architecture that captures a wide range of data. Attack chains distributing the malware exploit known iOS and macOS vulnerabilities to drop a Mach-O binary disguised as a PNG file, which retrieves next-stage payloads from a remote server using a memory corruption flaw (CVE-2020-3837).
The latest version (7.9.0) includes 28 plugins, up from 12 in previous versions, and can gather data from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. New plugins also add destructive capabilities, such as deleting media files, SMS messages, Wi-Fi profiles, contacts, and browser history, and freezing the device to prevent booting.
The malware’s command-and-control (C2) server checks for arguments passed from the FrameworkLoader component, which downloads LightSpy’s Core module and plugins. The Core module creates folders for logs, database, and exfiltrated data in /var/containers/Bundle/AppleAppLit/. Plugins can capture Wi-Fi networks, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, and call history.
The exact distribution method is unclear, but watering hole attacks are suspected. The operators are believed to be based in China, as the location plugin uses the GCJ-02 coordinate system exclusive to Chinese map services. ThreatFabric notes that the threat actors closely monitor security researcher publications to reuse newly disclosed exploits.
“The LightSpy iOS case highlights the importance of keeping systems up to date,” the company said. “The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices.”
