The LightSpy malware is a threat that targets iOS devices. Threats that are designed to target iOS systems specifically are not very common, as they are rather difficult to build. This means that the creators of the LightSpy threat are likely highly-skilled and well-experienced cyber crooks. The LightSpy malware targets 12.01 to 12.2 versions of iOS. Cybersecurity experts believe that the LightSpy threat also may be compatible with an older variant of iOS – 11.03.
Likely Originates from China
After studying the LightSpy threat, malware analysts found that this malware likely originates from China. However, researchers have not yet managed to pinpoint a certain APT (Advanced Persistent Threat) that may be responsible for the LightSpy malware. Some analysts believe that the LightSpy threat may be the creation of the Lotus Bloom hacking group, which also is known under the alias Spring Dragon.
Security experts believe that a Chinese APT may be behind the LightSpy malware due to the targeted demographic – Hong Kong protesters exclusively. Targeting such a limited demographic leads us to believe that the attack is motivated politically. To manage to compromise the devices of the Hong Kong targeted protesters, the attackers use several techniques:
- Phishing email campaigns
- Direct messages via social media networks.
- Direct messages via email.
- Fake posts on Instagram.
- Fake posts on the Telegram messaging service.
- Fake posts on various online forums.
The exploit kit and the payload of the LightSpy threat appear to be hosted on domains set up by the attackers like 'news2.hkrevolution.club,' 'facebooktoday.cc,' 'googlephoto.vip,' 'Appledaily.googlephoto.vip,' and others. The 'Appledaily.googlephoto.vip' page is designed to imitate the official page of a newspaper that is rather popular in Hong Kong – Apple Daily.
Upon infecting a targeted system, the LightSpy threat will then connect to a predetermined C&C (Command & Control) server. Next, the LightSpy malware will wait for commands from its operators. The LightSpy threat is capable of collecting all data types from the compromised device. This iOS malware can:
- Manage text messages.
- Execute remote commands.
- Collect text messages.
- Collect call history.
- Collect contacts list.
- Collect files from the device.
- Upload files on the device.
- Use the device's GPS system to collect location data.
- Obtain a list of the installed software.
- Obtain a list of the running processes.
- Obtain data regarding the WiFi – nearby networks and connection history.
- Obtain data regarding QQ accounts – messages, shared files, contacts list, groups.
- Obtain data regarding WeChat accounts – messages, shared files, contacts list, groups.
The Hong Kong protesters are often targeted by pro-Beijing cybercriminals, and the LightSpy malware is not the first or the last threat that is designed to target this demographic specifically.