Researchers specializing in cybersecurity have identified an updated version of the LightSpy implant, which now boasts an expanded set of features for collecting data from social media platforms such as Facebook and Instagram.
LightSpy refers to a type of modular spyware capable of infecting both Windows and Apple systems, with the primary objective of harvesting data. It was first documented in 2020 and initially targeted users in Hong Kong.
The data collection capabilities of LightSpy include Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as data from various apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.
In the latter part of last year, ThreatFabric provided details on an updated version of the malware, which incorporates destructive capabilities to prevent the compromised device from booting up. Additionally, the number of supported plugins has been expanded from 12 to 28.
Previous findings have also revealed potential overlaps between LightSpy and an Android malware named DragonEgg, highlighting the cross-platform nature of the threat.
Hunt.io’s latest analysis of the malicious command-and-control (C2) infrastructure associated with the spyware has uncovered support for over 100 commands spanning Android, iOS, Windows, macOS, routers, and Linux.
“The new command list shifts focus from direct data collection to broader operational control, including transmission management (‘传输控制’) and plugin version tracking (‘上传插件版本详细信息’),” the company said.
“These additions suggest a more flexible and adaptable framework, allowing LightSpy operators to manage deployments more efficiently across multiple platforms.”
Notable among the new commands is the ability to target Facebook and Instagram application database files for data extraction from Android devices. However, in an interesting twist, the threat actors have removed iOS plugins associated with destructive actions on the victim host.
Also discovered are 15 Windows-specific plugins designed for system surveillance and data collection, with most of them geared towards keylogging, audio recording, and USB interaction.
The threat intelligence firm said it also discovered an endpoint (“/phone/phoneinfo”) in the admin panel that grants logged-in users the ability to remotely control the infected mobile devices. It’s currently not known if these represent new developments or previously undocumented older versions.
“The shift from targeting messaging applications to Facebook and Instagram expands LightSpy’s ability to collect private messages, contact lists, and account metadata from widely used social platforms,” Hunt.io said.
“Extracting these database files could provide attackers with stored conversations, user connections, and potentially session-related data, increasing surveillance capabilities and opportunities for further exploitation.”
The disclosure comes as Cyfirma disclosed details of an Android malware dubbed SpyLend that masquerades as a financial app named Finance Simplified (APK name “com.someca.count”) on the Google Play Store but engages in predatory lending, blackmail, and extortion aimed at Indian users.
“By leveraging location-based targeting, the app displays a list of unauthorized loan apps that operate entirely within WebView, allowing attackers to bypass Play Store scrutiny,” the company said.
“Once installed, these loan apps harvest sensitive user data, enforce exploitative lending practices, and employ blackmail tactics to extort money.”
Some of the advertised loan apps are KreditPro (formerly KreditApple), MoneyAPE, StashFur, Fairbalance, and PokketMe. Users who install Finance Simplified from outside India are served a harmless WebView that lists various calculators for personal finance, accounting, and taxation, suggesting that the campaign is designed to specifically target Indian users.
The app is no longer available for download from the official Android app marketplace. According to statistics available on Sensor Tower, the application was Source Link
