SecureMac, Inc.

LightSpy: APT malware for iOS

March 30, 2020

Security researchers have discovered a new form of iOS malware that they’ve dubbed LightSpy affecting both iOS and Android.

LightSpy: APT malware for iOS

Security researchers have discovered a new form of iOS malware that they’ve dubbed LightSpy. In this short article, we’ll tell you what you need to know about this iOS threat, and how you can keep yourself safe.

What is LightSpy malware?

LightSpy is mobile malware. There are versions for both iOS as well as Android, but since iOS malware is comparatively rare — and therefore particularly noteworthy — we’ll be focusing on the iOS threat in what follows.

The malware functions as an iOS backdoor, allowing whoever controls it to execute code on the compromised device and exfiltrate sensitive data. Researchers say that LightSpy is capable of obtaining an infected iPhone’s location data, call history, contacts, and information on WiFi network activity. In addition, it is designed to steal Keychain data and capture chat application data from popular apps like Telegram, WeChat, and QQ.

Who is at risk

LightSpy infects its targets by making use of older vulnerabilities, specifically vulnerabilities found in iOS 12.1 and iOS 12.2. The delivery vector appears to be a limited number of malicious websites, the nature of which indicates that a specific group of users is being targeted. In security terms, this is known as a “watering hole attack”, a reference to predators in the wild staking out a watering hole that their prey will eventually visit. 

In this case, the target appears to be people living in and around Hong Kong, since the malicious websites are based on news sites and forums popular with Hongkongers. Anyone visiting an infected site while using an iPhone running on iOS 12.1 or iOS 12.2 is potentially at risk.

Who are the hackers?

It’s still unclear who’s behind the attack, though signs point to an Advanced Persistent Threat (APT) group. APTs are sophisticated, well-organized, and well-resourced hacking operations, and are often linked to nation states. This may suggest a connection between the LightSail attacks and the recent political turmoil in Hong Kong, though at this point that’s only conjecture. 

Researchers at Kaspersky have begun referring to the unidentified APT as TwoSail Junk, presumably a reference to the iconic Chinese sailing ships called “junks” that once plied the waters of Southeast Asia — and a nod to the possible origin of LightSpy, as the researchers suspect a link to the Chinese-speaking APT group Thrip.

How to stay safe

As mentioned above, LightSpy appears to be part of a targeted operation. But even people outside of the Hong Kong area should take it seriously. LightSpy is clearly a powerful and well-designed threat, and while its creators may have had a limited use case in mind, there is little to stop a capable actor from reverse engineering and repurposing the malware for their own ends — a phenomenon which malware researchers have observed in the past.

The good news is that LightSpy only works on older versions of iOS, which means that protecting yourself is as simple as upgrading to the latest version of iOS (at the time of writing, this would be the recently released iOS 13.4).

The other precaution that you can take to guard against LightSpy — and similar threats — is to follow basic safe browsing practices whenever you’re online. Don’t automatically trust a website, even if it looks legitimate at first glance, and be careful about what links you click on. Above all, just be aware that even iOS devices, as secure as they generally are, can still be attacked. This kind of reality check, along with a bit of healthy skepticism about the sites you visit, can go a long way to keeping you safe.

Get the latest security news and deals