LightSpy, a malware deployed in a 2020 watering hole attack against iOS users, has been found to be embedded with a set of 14 plugins that are responsible for private data exfiltration. Researchers have attributed the malware to the Chinese state-sponsored APT41 group, which previously had used DragonEgg and WyrmSpy spyware to target Android users.
Inside LightSpy Android malware
ThreatFabric reveals that LightSpy includes a Core implant, apart from 14 plugins, which is responsible for the orchestration of functions that are crucial for the whole attack chain.
- The main functionalities of the Core include gathering device fingerprints, establishing a full connection with the C2 server, and retrieving commands from the server.
- In total, LightSpy Core supports 24 different commands, with one of them giving instructions to update itself and the plugins.
About the new plugins
Researchers observed 14 plugins from 20 active servers that are capable of exfiltrating a variety of sensitive data and capturing screenshots from multiple messaging apps and systems. Out of these, three plugins get a special mention. These are:
- Location module plugin: It is responsible for tracking the current location of users via snapshots taken during specific time intervals.
- Soundrecord plugin: It can start a microphone recording, even during incoming phone calls. Furthermore, the plugin can record WeChat VoIP audio conversations using a native library called libwechatvoipCoMm.so.
- Bill plugin: This plugin is responsible for stealing the payment history of WeChat Pay, which includes the last bill ID, bill type, transaction ID, date, and payment processing flag.
Conclusion
Researchers have found several active servers across China mainland, Hong Kong, Taiwan, Singapore, and Russia, which suggests that the threat remains active in the wild. Furthermore, since the attackers primarily leverage popular software/applications as a channel for distribution, users are advised to avoid installing software from untrusted sources.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1d85_shutterstock_729070279.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/65f5_Shutterstock_1676474806.jpg)
