Sophisticated LightSpy malware, specifically designed for iOS devices, has resurfaced and is targeting the countries of South India, especially India. With its advanced capabilities and suspected origins linked to Chinese developers, the renewed presence of LightSpy raises alarms about potential geopolitical motives and state-sponsored espionage.
The malware was first detected in 2020 during a watering hole attack aimed at Apple device users in Hong Kong. LightSpy is designed for comprehensive surveillance.
Its capabilities include extracting sensitive information like precise location data, recording audio during VOIP calls, tracking Safari and Chrome browser history, and accessing data from popular messaging apps such as QQ, WeChat, and Telegram. Thus, the malware is typically deployed to target specific, high-profile individuals like journalists, diplomats, politicians, army officers, and activists.
“Though typically deployed against a very small percentage of individuals – most usually journalists, activists, politicians and diplomats – hyper-focused spyware attacks are an ongoing and global threat. In recent months, many technology firms have cautioned about the risk of state-sponsored efforts to sway certain electoral outcomes,” said cybersecurity researchers at BlackBerry.
LightSpy has reappeared after a period of dormancy, concentrating its efforts on individuals in Southern Asia, notably India. This renewed activity suggests a strategic shift toward political targets and regional tensions. The resurgence of this sophisticated malware coincides with Apple’s warning notification to users in 92 countries regarding a ‘mercenary spyware attack.’
The latest LightSpy version, F_Warehouse, features a modular framework with extensive spying capabilities. These include stealing files from various apps, recording audio covertly, harvesting browser history and WiFi connections, executing shell commands, and potentially gaining full control of targeted devices. These advancements significantly enhance LightSpy’s espionage capabilities.
LightSpy infiltrates through compromised news websites, following a multi-stage execution process involving initial implantation, downloading additional stages, including core LightSpy components and plugins, and establishing communication with the command-and-control server.
Evidence such as code comments and error messages indicates that the developers behind LightSpy are likely native Chinese speakers. However, pinpointing specific actors is quite challenging for researchers.
To protect their devices, users have been advised to activate Lockdown Mode on Apple devices, use secure communication platforms on their devices, keep themselves, keep their phones updated, use strong passwords, avoid clicking on random links on the internet, enable two-factor authentication, and regularly restarting the device to flush out bugs and malware.
A few days ago, an espionage campaign, eXotic Visit, was targeting Android users in India and Pakistan. Also, a recent report by Microsoft warned India, the United States and South Korea of a possible Chinese intervention in elections.
In March, a malicious operation dubbed FlightNight hit Indian defence, IT and energy sectors. Last year, it was reported that Pakistani hackers were using the Rust payload to target Indian users.
In the News: Threat actors exploit the Notepad++ plugin to deliver malware