Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

Cybersecurity researchers have discovered a resurfaced cyber espionage campaign targeting users in South Asia to deliver an Apple iOS spyware implant called LightSpy. LightSpy is a sophisticated iOS implant, first reported in 2020 by Trend Micro in connection with a watering-hole attack against Apple device users amid escalating political tensions in Hong Kong distributed through “poisoned” news sites. Specifically, it is a fully-featured modular surveillance toolset that primarily focuses on exfiltrating victims’ private information, including hyper-specific location data and sound recording during voice over IP (VOIP) calls. LightSpy has expanded its capabilities to include file theft from popular messaging apps, secret recording of audio from a device, the harvesting of device camera data, browser history, and WiFi connections, and the potential for shell command injection. Based on evidence such as code comments and error messages, the attackers are strongly suspected to be native Chinese speakers. Another indicative piece of evidence reinforcing that this campaign is of Chinese origin is a Chinese warning message displayed when providing incorrect login credentials into LightSpy’s operator panel. Though mobile spyware is hyper-targeted, typically deployed against journalists, activists, politicians, and diplomats, it can still have global implications.

Although the initial intrusion vector is presently unknown, based on the previous LightSpy campaign it's suspected to be via compromised news websites known to be visited by targets. The campaign involves a multi-stage attack that begins by gathering device information and then downloading further stages to continue the attack chain. The loader retrieves plugins that extend the main implant’s functionality. The operators have a particular interest in secure messaging platforms and documents containing sensitive information. In addition to its reconnaissance abilities, LightSpy can use one of its plugins to execute shell commands and take full control of a victim’s device, making it even more dangerous.

Security Officer Comments:
LightSpy is particularly dangerous to victims, with a myriad of consequences especially relating to a threat actor being able to locate their target with deadly accuracy. One of the capabilities of LightSpy is a plugin that can harvest data from WeChat, a platform that is most popular in China, Malaysia, India, Russia, Japan, South Korea, the US, and Indonesia. The majority of users reside in South Asia countries which underscores that this LightSpy campaign has a targeted approach that is most effective in that specific region. This malware’s revival paired with the targeted nature of this campaign and the attackers suspected Chinese origins could suggest the campaign’s motivation is to cause geopolitical implications. This adds gravitas to the cautionary warnings many technology firms have published in recent months regarding the looming danger of state-sponsored efforts to manipulate electoral outcomes.

Suggested Corrections:
The BlackBerry Threat Research and Intelligence Team recommends:

  • Exercise heightened vigilance: Individuals and organizations in Southern Asia, especially those involved in sensitive activities or political activism, should be particularly cautious about potentially being targeted by LightSpy.
  • Use of Lockdown mode: Apple recommends individuals who may be targeted by this type of spyware to enable Lockdown Mode to reduce their attack surface. When Lockdown Mode is enabled, certain apps, websites, and features are strictly limited for security and some experiences might not be available at all.
  • Use highly secure voice and messaging solutions: BlackBerry customers can use SecuSUITE® to encrypt the conversations of its technology and cyber leaders wherever they communicate – in the workplace, at home, or traveling abroad. Users can also use WhatsApp or Telegram platforms for secure messaging.
  • Review the latest threat intelligence: Stay informed about the latest threats and vulnerabilities via reports offered by reliable security researchers and organizations.
  • Create an incident response plan: Develop a comprehensive incident response plan to effectively address potential cyberattacks.

In addition to these recommendations, individuals should follow security best practices for mobile devices:

  • Update your devices: Ensure you install the latest software, because that will include the latest security fixes.
  • Use a passcode: Protect devices by setting a passcode that will prevent unauthorized physical usage.
  • Enable 2FA: Use two-factor authentication and a strong password for your Apple ID.
  • Beware of unofficial software: Install apps from the App Store only; don’t be tempted by “free” software offered elsewhere on the web.
  • Password hygiene: Use strong and unique passwords online, and don’t reuse the same password across multiple sites. Better yet, we strongly encourage the use of passwordless (e.g. FIDO2) authentication whenever possible.
  • Think before you click: Don’t click on links or attachments from unknown senders. Remember; this now applies just as much on your mobile device as it does on your personal computer.
  • Restart your phone often: In some cases, restarting your mobile device can help you remove or disable some types of malware.

Blackberry Threat Research and Intelligence Team has published relevant IOCs in their report.

Blackberry Threat Research and Intelligence Team’s LightSpy Report