A newer version of the LightSpy spyware, known for targeting iOS devices, has been expanded to include capabilities for compromising device security and stability.
ThreatFabric, who discovered the malware, initially published a report on LightSpy for macOS in May 2024. During that investigation, the analysts found that the same server was being used to manage both macOS and iOS versions of LightSpy.
This discovery allowed ThreatFabric to conduct a new, detailed analysis of the spyware targeting iOS and published today, finding notable updates compared to the 2020 version.
This latest version, identified as 7.9.0, is more sophisticated and adaptable, featuring 28 plugins compared to the 12 observed in the earlier version. Seven of these plugins are specifically designed to interfere with device functionality, with capabilities that include freezing the device and preventing it from rebooting.
The spyware gains initial access by exploiting known vulnerabilities in Safari and escalates privileges using jailbreak techniques, enabling it to access core device functions and data.
Key Findings in Spyware Infrastructure
To support these malicious activities, ThreatFabric’s analysts identified five active command-and-control (C2) servers linked to the iOS version of LightSpy. They used open-source intelligence methods to trace self-signed certificates across these servers, each set up to manage infected devices and store exfiltrated data.
Notably, one of the servers appeared to host an administrator panel, hinting that this infrastructure may be used for demonstration purposes as well, potentially showcasing LightSpy’s capabilities to outside parties.
Specific Targets and Regional Indicators
Analysis of the C2 logs showed 15 infected devices, of which eight were iOS. Most of these devices appeared to originate from China or Hong Kong, often connecting through a Wi-Fi network labeled Haso_618_5G, which researchers suspect is a test network.
ThreatFabric’s investigation also found that LightSpy contains a unique plugin for recalculating location data specifically for Chinese systems, suggesting that the spyware’s developers may be based in China.
Mitigation Recommendations
Given the use of “1-day exploits,” LightSpy’s operators take advantage of vulnerabilities soon after they are publicly disclosed.
ThreatFabric recommends that iOS users reboot devices regularly, as LightSpy’s reliance on a “rootless jailbreak” means infections do not survive a reboot, offering users a simple but effective means to disrupt persistent spyware infections.