LightSpy spyware targets iPhone users in Hong Kong

During a cyberattack in Hong Kong, LightSpy spyware infected the iPhones of people visiting counterfeit news sites.

During a cyberattack in Hong Kong, LightSpy spyware infected the iPhones of people visiting counterfeit news sites.

In January of this year, experts detected a large-scale watering-hole attack aimed at residents of Hong Kong, in which the multifunctional malware LightSpy for iOS was installed on victims’ smartphones. This is yet another reminder to anyone who thinks that Apple devices, in particular iPhones, are immune to malware; they are protected, of course, but by no means totally.

How LightSpy infects iOS devices

The malware landed on victims’ smartphones when they visited one of several websites disguised as local news resources — the attackers simply copied the code of real news outlets and created their own clones.

The sites loaded a whole bunch of exploits onto victims’ smartphones, resulting in the installation of LightSpy. Links to the fake sites were distributed through forums popular with Hong Kongers. All it took for the iPhone to get infected was one visit to a malicious page. There was no need even to tap anything.

What is LightSpy?

LightSpy malware is a modular backdoor that lets an attacker remotely execute commands on the infected device and generally run amok on the victim’s phone.

For example, the attacker can determine the smartphone’s location, get its contact list and call history, see which Wi-Fi networks the victim has connected to, scan the local network, and upload data about all detected IP addresses to its command-and-control (C&C) server. In addition, the backdoor has modules for stealing information from Keychain (iOS’s password and encryption key storage), as well as data from the WeChat, QQ, and Telegram messaging apps.

What’s interesting is that the attackers used no zero-day vulnerabilities, but so-called first-day vulnerabilities — that is, newly discovered holes for which patches have been released but included only in the latest system updates. Therefore, those iOS users who updated their devices in a timely manner could not get infected — but, of course, lots of people didn’t install the updates. The attack threatened owners of smartphones running iOS 12.1 and 12.2 (the problem affects models from iPhone 6s to iPhone X).

How to guard against LightSpy

It’s still unclear whether LightSpy will spread beyond China, but such toolkits have a habit of reaching a wider audience, so don’t assume that the problem will pass you by. Take the following precautions for greater security:

  • Install the latest version of the operating system. If you are reluctant to do so because of issues with iOS 13, never fear: In the current version (13.4), Wi-Fi bugs and other irritants have been fixed.
  • Be very careful when following links, especially links sent by strangers. Even if they appear at first glance to point to a known website, checking the address carefully does no harm.