Mobile phones, 30.10.2024, 11:30 AM
ThreatFabric has discovered a new version of the LightSpy spyware, which is used on iOS devices. The new version of the malware (7.9.0) is more sophisticated and customizable, with 28 plugins, which is significantly more compared to the 12 in the previous version.
ThreatFabric published in May this year LightSpy for macOS version report. The company’s analysts then discovered that the same server was being used to manage both the macOS and iOS versions of the LightSpy malware.
ThreatFabric has now published a detailed analysis of the new version of the spyware targeting iOS, highlighting significant updates over version from 2020.
Seven new plugins received by the new version of the malware are designed to interfere with device functionality, including freezing the device and preventing reboots.
The spyware infects the device by exploiting known vulnerabilities in Safari and escalates privileges using jailbreaking techniques, which gives it access to the device’s basic functions and data.
ThreatFabric analysts discovered five active Command and Control (C2) servers linked to the iOS version of LightSpy.
On one of the servers there is an admin panel, which may mean that this infrastructure is also used for demonstration purposes, to show the capabilities of the LightSpy malware to potential customers.
Analysis of C2 logs showed 15 infected devices, eight of which were iOS. Most of these devices originate from China or Hong Kong. They often connect via the Haso_618_5G Wi-Fi network, which researchers suspect is a test network.
ThreatFabric’s investigation also revealed that LightSpy contains a unique plugin to calculate location data for Chinese systems, suggesting that the spyware’s developers may be based in China.
ThreatFabric recommends that iOS users reboot their devices regularly, as LightSpy cannot survive device reboots. This is a simple but effective way to solve the problem of this spyware infection.
Photo: arjun kumar | Unsplash
Source: www.informacija.rs