Emerging Threats

LightSpy malware is back, and it’s spying on iPhone users

Ray Fernandez

Apr 18, 20246 min read

LightSpy malware is back, and it's spying on iPhone users: Header image

LightSpy, a sophisticated piece of iOS malware first discovered in 2020, is making a big comeback, targeting iPhone users in Asia as geopolitical tensions in the region increase. 

International media broke the news that Apple contacted millions of iPhone users in 92 countries to warn them about being the target of “mercenary attacks.” Meanwhile, media from Asia and India report that Pegasus-style spyware infections have already breached iPhone devices in the region. 

According to Blackberry, these users in Asia could be victims of the new LightSpy, an updated espionage malware campaign targeting iOS. Experts worry that the spyware could go global.

LightSpy returns with sophisticated spyware features

On April 11, Blackberry reported their findings on the new LightSpy. The company explained that LightSpy is a sophisticated iOS implant that can steal data, listen to and record audio, and even use the iPhone camera to take pictures.  

This spyware is a fully-featured modular surveillance toolset. Blackberry added that criminals coded it to obtain hyper-specific locations.

Stolen hyper-specific location data is extremely dangerous to the victim of a hack. With it, threat actors are able to locate their target with “near-perfect accuracy” at all times.

What can LightSpy do?

LightSpy’s capabilities go beyond determining the exact location of a victim. On April 12, one day after Blackberry made public its investigation on LightSpy, Moonlock Lab posted its analysis of LightSpy on X (formerly Twitter).

Moonlock determined, by analyzing plugins, that LightSpy “facilitates the execution of shell commands.” This means that attackers can gain full control over breached devices. 

LigthSpy can:

  • Steal files from popular apps like Telegram, QQ, and WeChat 
  • Target and steal personal documents and media
  • Record everything a user says with an audio recorder 
  • Go after browser data, browser history, Wi-Fi connection lists, and installed applications 
  • Access the iPhone camera and take pictures 
  • Retrieve user Keychain data and device lists and execute shell commands for potential full device control
  • Use certificate pinning to prevent detection and interception of communication with its command-and-control (C2) server (and avoid detection if traffic is being analyzed) 
  • Collect information about Wi-Fi networks the device has connected to
  • Gather details about installed applications on the device
  • Access credentials
  • Identify and list devices connected to the compromised system

Who is behind LightSpy? A China-linked espionage campaign 

As with the previous versions of LightSpy, the new enhanced spyware is linked to China. Blackberry said that the China link of LightSpy is exposed when analyzing code comments and error messages. This suggests that the attackers behind LightSpy are native Chinese speakers.

Blackberry added that the China-LightSpy link is raising concerns about potential state-sponsored activity in the region. 

As the power struggle in the region of Southern Asia and India continues, China faces conflicts on numerous fronts as it attempts to establish its agenda and leadership in the region.  

China and India — both nuclear powers — have unresolved territorial claims along their long Himalayan border. Additionally, India poses a leadership challenge to China, seeking to increase its influence among South Asia countries with military exercises and actions. 

Furthermore, China claims a large swathe of the South China Sea. Driven by South China Sea disputes, the country is pressuring countries in the region, including Taiwan, Japan, Vietnam, the Philippines, Malaysia, Brunei, and Indonesia. 

China’s increasing militarization and military presence in the South China Sea also poses concerns that are shared by countries around the world, including the United States, Europe, and the United Kingdom.

Blackberry described the worrying connection between LightSpy and ongoing conflicts in the region. 

“The re-emergence of LightSpy highlights the ongoing threat of sophisticated mobile spyware used for espionage purposes. The targeting of individuals in Southern Asia, coupled with the suspected Chinese origin of the attackers, raises concerns about the potential motives and geopolitical implications of this campaign.”

Spyware designed to target a small group of individuals 

As mentioned, LightSpy can access contacts, SMS messages, phone call history, GPS location, connected Wi-Fi history, and the browser history of Safari and Chrome. The spyware also leverages advanced techniques. 

To prevent detection and interception of communication with its command-and-control (C2) server, LightSpy uses certificate pinning. Certificate pinning is a security technique used to verify the identity of a server in encrypted connections, particularly those using Hypertext Transfer Protocol Secure (HTTPS). 

Blackberry explains that with certificate pinning, if the victim is on a network where traffic is being analyzed, no connection to the C2 server will be established.

LightSpy is also coded to target a small but highly influential percentage of users. These targets include politicians, government workers, journalists, activists, and diplomats. 

LightSpy: Vector of attack and installation

Victims being infected by LightSpy are likely accessing hijacked news websites that report on Hong Kong. Once the malware is downloaded and breaches an iPhone, the encrypted and subsequently decrypted LightSpy kernel is installed in the machine.

LightSpy is the main spyware frame. It can be retrofitted with numerous plugins powering different spyware features. These plugins are also loaded when the iPhone is breached. 

What Apple says: Mercenary spyware warning  

The recent security warning issued by Apple in 92 countries, including India and Asia, alerted iPhone users that they were being targeted by mercenary spyware attacks. 

Apple says these attacks are more sophisticated than normal cybercriminal activity. They are designed specifically to target a small number of people. 

“Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent,” Apple explained. 

Apple added that mercenary spyware targeting journalists, activists, politicians, and diplomats is ongoing and global. The company has sent threat notifications multiple times a year since 2021, alerting users in more than 150 countries. 

What to do if you received an Apple warning or think LightSpy breached your iPhone

When Apple detects activity consistent with a mercenary spyware attack, they notify users directly. By signing into their Apple ID at appleid.apple.com, users can see if they are being targeted by spyware. 

Image of an Apple Threat Notification message.
Once signed in to appleid.apple.com, a Threat Notification message is shown in red at the top of the page. Image: Screenshot. Apple ID is a trademark of Apple Inc.

This malware requires victims to click on suspicious links, open attachments, and install the malware. Therefore, it’s critical that all iPhone users apply cybersecurity and privacy best practices.   

Apple warns its users of attacks via email and iMessage notifications. Users will never be asked to click on a link, download a file, or share personal data.

Apple suggests that users take immediate steps to protect their devices if they receive a Threat Notification. This means enabling Lockdown Mode — an extreme security protection feature offered by Apple. Lockdown Mode minimizes the digital attack surface and protects assets and data. 

“We strongly suggest that you enlist expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the non-profit Access Now,” Apple said. The Digital Security Helpline works 24 hours a day, 7 days a week online. Their team can assist users in securing their iPhones. 

Additionally, it is suggested that potential targets update their iOS and apps. Users should use a passcode and biometrics to add layers of security, use 2-factor authentication, and use a strong password for Apple ID. Additionally, users should only install apps through the App Store. 

Conclusion

The re-emergence of LightSpy is not an isolated incident. As geopolitical tensions around the world driven by conflicts continue to heat up, incidents and conflicts are spilling over into the digital world. As Blackberry reported, LightSpy “signals an escalation in mobile espionage threats” under this global landscape. 

The new LightSpy spyware has also been enhanced. It can now evade detection while stealing data, recording audio, and taking full control over breached iPhones. For the political arena of Southern Asia, this represents a grave danger. 

Designed to go after very specific individuals involved in political activism and sensitive activities, this spyware seems to align with China’s political agenda in the region.

Experts worry that LightSpy could be updated again to become even more powerful. Eventually, it could move beyond the regional Asian borders and be put into play elsewhere, targeting iPhone users in other parts of the world. 

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. iPhone, iOS, and Apple ID are trademarks of Apple Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.