Reboot now—advice for Apple iPhone users as attacks underway.
While iPhones are undeniably more secure than Androids, notwithstanding Google’s efforts to narrow the gap, Apple devices are not immune from attack. There are now regular alerts from Apple when attacks have been identified, and a new cyber report has just warned that iPhones are under attack from hackers with enhanced cyber tools, and that “a regular reboot can be a best practice for Apple device owners.”
You may remember LightSpy—this spyware has been reported on multiple occasions by multiple security firms as it attacks iOS, macOS and Android. Well now it’s back in the headlines, and ThreatFabric warns it’s much improved, with its toolset “increased significantly from 12 to 28 plugins—notably, seven of these plugins have destructive capabilities that can interfere with the device’s boot process.”
This spyware targets older, unpatched versions of Apple’s iOS, leveraging known vulnerabilities, specifically “the publicly available Safari exploit CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.” Attacks force a jailbreak on the target iPhone, escalating privileges to enable a full device takeover.
Given this latest LightSpy iteration attacks iPhones running nothing newer than iOS 13.5, your first defense is to make sure your phone is updated. It’s almost certain that the tool is being deployed by Chinese threat actors against victims in China and Hong Kong—there are no signs yet of it being offered further afield, that could change.
A LightSpy attack
The new “destructive” capabilities highlighted by ThreatFabric mean that a compromised device can be prevented from restarting. The plugin architecture means that modules can be deployed as required under the control of an external server, with the objective being to exfiltrate data from the phone to the attackers.
This destruction includes “wiping the contact list or disabling the device by deleting system-related components,” ThreatFabric says. “This suggests that the threat actors valued the ability to erase attack traces from the device.”
Stolen data can include device screenshots, photos, audio recordings, texts contacts, call logs and data from messaging platforms including WhatsApp and Telegram. Clearly, even end-to-end encrypted messages can be accessed if an attacker has control over the device representing one of those ends.
“The LightSpy iOS case highlights the importance of keeping systems up to date,” the researchers advise. “The threat actors behind LightSpy closely monitor publications from security researchers, reusing newly disclosed exploits to deliver payloads and escalate privileges on affected devices.”
Infections likely come by way of lures to infected websites used by the intended victim groups—so-called watering holes. If you think you may be susceptible to such attacks and for you are not running an updated version of iOS, ThreatFabric suggests a regular reboot. “While rebooting won’t prevent reinfection, it may limit the amount of information attackers can exfiltrate from the device.”
