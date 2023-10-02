The LightSpy malware, which was previously known for its watering hole attack targeting iOS users in Hong Kong, has now been found to have an Android implant. This discovery reveals that the malware is even more widespread and dangerous than previously thought.

LightSpy is categorized as a Mobile Advanced Persistent Threat (mAPT) and is believed to be the work of APT41, a state-sponsored hacking group. Recent reports suggest that the malware has been using the popular WeChat payment system to gain access to payment data, monitor private communications, and carry out various malicious activities.

According to cybersecurity experts, LightSpy is a fully-featured modular surveillance toolset that includes several plugins for exfiltrating private and payment data. It is particularly focused on gathering private information from its victims. Notable features of the malware include the ability to exfiltrate payment data from WeChat Pay, record victims’ VOIP conversations through WeChat, and gather device fingerprint data.

The malware’s core functions as the main component responsible for carrying out the entire attack chain. It gathers device information, establishes connections with control servers, retrieves commands, and updates itself and its plugins.

LightSpy is equipped with 14 plugins, each serving a specific purpose. These plugins include modules for exfiltrating application and user data, tracking location, capturing audio, and extracting data from popular messaging apps like Telegram and QQ.

In order to track the victim’s location, LightSpy relies on two location-tracking frameworks: Tencent location SDK and Baidu location SDK. The Soundrecord plugin enables the malware to record audio, including environmental sounds and phone calls. The Bill plugin gathers information about the victim’s payment history on WeChat Pay.

The discovery of the Android implant within LightSpy indicates that this malware is no longer restricted to targeting iOS users. It poses a significant threat to both Android and iOS devices, emphasizing the need for robust cybersecurity measures to protect against such attacks.

In conclusion, LightSpy malware has evolved and expanded its operations to target Android devices in addition to iOS devices. With its sophisticated capabilities and state-sponsored origins, this threat highlights the importance of staying vigilant and using comprehensive security solutions to safeguard personal and financial information.

Sources:

– Original article: [Source]

– ThreatFabric report on LightSpy: [Source]

– ThreatFabric’s Indicators of Compromise: [Source]