A watering hole attack was discovered by Kaspersky security researchers on January 10, 2020. It utilized an iOS exploit chain remotely to deploy the LightSpy malware. The attack was aimed at the residents of Hong Kong, with the malware being installed on smartphones. Kaspersky warned against users believing their iPhones are immune to malware.
How LightSpy finds its way onto iOS devices
The malware ended up infecting smartphones of victims when they visited some websites masquerading as local news sources. The attackers copied the code of actual news outlets and made their clones of news outlets.
The websites were made with the purpose of loading exploits on any smartphones using them, which resulted in the installation of LightSpy. Links to these fake websites were being distributed throughout popular Hong Kong forums. A simple visit to one of these malicious pages was enough to get a smartphone infected; there was no need to interact with the website elements.
The LightSpy malware's inner workings exposed
LightSpy is a malware equipped with a modular backdoor, allowing the attackers to execute commands on an infected device remotely. An example of that can be seen when the attackers may extract the location of the smartphone, its contact list, call history, and more. They may even see which Wi-Fi networks the victim was connected t, scanning local networks and detecting IPs and uploading data to their remote command-and-control (C&C) servers. The backdoor may also steal information from Keychain (the iOS encryption key and password storage). It may also get data from WeChat, Telegram, and QQ messaging apps.
What the researchers found interesting was that the attackers didn't utilize zero-day vulnerabilities, but first-day vulnerability instead. That is to say, they found holes the patches were released for, but they were only included in the last system updates. The iOS users who managed to update their devices quickly were impervious to this attack. Naturally, many users didn't get the updates quickly enough, so the attack was threatening users running the iOS 12.1 and 12.2, affecting the iPhone 6 to iPhone X.
How users can protect themselves against LightSpy
At this time, it is unclear whether or not LightSpy may target users outside Hong Kong and Chinese speakers in general. The possibility of the threat transcending its origins and reaching out to a broader range of users is always there, so users are advised to take measures to secure their devices against intrusion. Taking the following steps may help a great deal in this specific case:
- Installing the latest OS version is necessary, even if users may have second thoughts due to issues with iOS 13. The patching of security holes is necessary to keep devices safer from threats like LightSpy.
- Be very careful when opening links, especially ones that were sent by strangers on social media or in messenger apps. Even when the links appear genuine or they point to a known website, checking the address and not following the link is an excellent way to avoid potential infections.
- Use only reputable app download sources, as unofficial stores may have malware-infected apps.