LightSpy iOS Spyware Returns with Dangerous New Capabilities
Published:
Recent reports have unveiled a troubling advancement in the iOS spyware LightSpy, a malicious software targeting iPhone users running older iOS versions.
Originally identified in 2020, LightSpy has resurfaced with a much more potent toolset, now incorporating 28 plugins—nearly twice as many as in previous versions.
Seven of these new plugins have destructive functions that can permanently disable affected devices, potentially preventing them from rebooting.
The spyware primarily targets older, unpatched versions of iOS, exploiting known security vulnerabilities to gain unauthorized access. Specifically, LightSpy leverages flaws in Apple’s Safari browser (tracked as CVE-2020-9802) and an iOS system vulnerability (CVE-2020-3837) to infiltrate devices and escalate privileges.
This allows the spyware to jailbreak the iPhone, a process that bypasses Apple’s security controls, giving attackers full control over the device.
Find hidden spyware with Certo
Scan your iPhone for spyware and other threats with the award-winning Certo AntiSpy.
Data Theft and Destruction
Once it infiltrates a device, LightSpy can steal a wide range of sensitive information, making it highly dangerous for victims. The spyware is designed to collect data including Wi-Fi network details, screenshots, location data, contacts, messages, and browsing history.
It can even access media files, audio recordings, and data from popular messaging apps such as WhatsApp, Telegram, and WeChat. This data can then be exfiltrated to external servers controlled by the attackers, who can remotely deploy additional plugins as needed.
In a concerning escalation, LightSpy’s new capabilities allow it not only to steal information but also to destroy it. The spyware can delete contact lists, SMS messages, photos, and system files, effectively sabotaging the device and rendering it unusable.
These destructive capabilities also make it easier for the attackers to erase evidence of the intrusion.
Protecting Your iPhone from LightSpy
While the exact method of distribution remains unknown, cybersecurity experts believe LightSpy spreads through “watering hole” attacks, a technique that lures users to malicious websites that automatically infect their devices.
These infected sites appear to specifically target users in certain regions, particularly in Hong Kong and mainland China. Some indications, such as the spyware’s use of a China-specific location system, hint that Chinese threat actors may be responsible, though no specific group has claimed responsibility.
To defend against this threat, we strongly advise keeping your iOS devices updated, as LightSpy primarily affects devices running iOS 13.5 or earlier. Regular updates patch vulnerabilities that attackers exploit, making it essential to stay on the latest software version. While updating cannot completely eliminate the risk, it can significantly reduce the likelihood of a successful attack.
We also recommend regularly rebooting your iPhone as an additional precaution. Rebooting won’t prevent reinfection, but it can interrupt the spyware’s ability to continually collect and exfiltrate data. This simple measure may help mitigate the potential damage from an infection.
Although Apple devices are widely regarded as more secure than other platforms, LightSpy’s resurgence underscores that iOS users are not immune from sophisticated cyber threats. Maintaining a secure device by applying updates, rebooting regularly, and practicing safe browsing can provide some essential defenses against this dangerous spyware.