lightSpy
Description
(Trend Micro) The iOS malware, which we named ‘lightSpy’ (detected by Trend Micro as IOS_LightSpy.A), is a modular backdoor that allowed the attacker to remotely execute a shell command and manipulate files on the infected device. It is also implemented with several functionalities through different modules for exfiltrating data from the infected device including:
• Hardware information
• Contacts
• Keychain
• SMS messages
• Phone call history
• GPS location
• Connected Wi-Fi history
• Browser history of Safari and Chrome
The malware also reports the surrounding environment of the device by:
• Scanning local network IP address
• Scanning available Wi-Fi network
The campaign also employs modules specifically designed to exfiltrate data from popular messenger applications such as QQ, WeChat, and Telegram.
Names
| Name |
|---|
| lightSpy |
Category
Malware
Type
- Reconnaissance
- Backdoor
- Info stealer
- Exfiltration
Information
- https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf
- https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/
- https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/
- https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india
- https://www.threatfabric.com/blogs/lightspy-implant-for-macos
- https://www.threatfabric.com/blogs/lightspy-implant-for-ios
- https://www.lookout.com/threat-intelligence/article/wyrmspy-dragonegg-surveillanceware-apt41
- https://blogs.blackberry.com/en/2024/11/lightspy-apt41-deploys-advanced-deepdata-framework-in-targeted-southern-asia-espionage-campaign
- https://hunt.io/blog/lightspy-malware-targets-facebook-instagram
Mitre Attack
Malpedia
Other Information
Uuid
4c9d4f77-ee82-4452-b187-84072275951e
Last Card Change
2025-06-28