1. Home
  2. Software
  3. LightSpy

LightSpy

First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as .dylib files (iOS, macOS) or .apk files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.[1]

ID: S1185
Type: MALWARE
Platforms: Android, Windows, iOS, macOS
Contributors: Alden Schmidt; Dmitry Bestuzhev
Version: 1.0
Created: 03 January 2025
Last Modified: 15 April 2025
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

LightSpy has used both HTTPS and Websockets to communicate with the C2.[2][3][4]
Mobile T1532 Archive Collected Data

LightSpy collects and compresses data to be exfiltrated using SSZipArchive.[4][3]
Mobile T1429 Audio Capture

LightSpy has captured environment audio, phone calls and Voice over IP (VoIP) calls.[5][1][2][3][4]
Mobile T1398 Boot or Logon Initialization Scripts

LightSpy has established auto-start execution during the system boot process.[3]

Mobile T1623 Command and Scripting Interpreter

LightSpy has plugins for executing shell commands either from the C2 server or a library file called zt.dylib.[1][3][4]
Mobile T1634 .001 Credentials from Password Store: Keychain

LightSpy has accessed the device’s KeyChain data.[1][3][6][4]

Mobile T1662 Data Destruction

LightSpy has deleted media files and messenger-related files on the device.[3] Additionally, LightSpy has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.[4]

Mobile T1533 Data from Local System

LightSpy has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.[1][2][3][6][4]
Mobile T1456 Drive-By Compromise

LightSpy gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading index.html, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a .png extension.[5][6][4][3]
Mobile T1642 Endpoint Denial of Service

LightSpy has used the DeleteSpring plugin to render the device’s user interface inoperable by disabling SpringBoard, which is iOS's home screen manager.[4] LightSpy has used the BootDestroy plugin to prevent the victim device from booting by modifying the NVRAM parameter auto-boot to false.[4] Additionally, LightSpy has renamed the Wi-Fi daemon to disable wireless connectivity.[4]

Mobile T1646 Exfiltration Over C2 Channel

LightSpy has exfiltrated collected data to the C2.[4]
Mobile T1658 Exploitation for Client Execution

LightSpy has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.[6]

Mobile T1404 Exploitation for Privilege Escalation

LightSpy uses the embedded time_waste function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a .dylib into the SpringBoard process, allowing persistent access to audio and video capture.[4][3]
Mobile T1544 Ingress Tool Transfer

LightSpy has retrieved files from the C2 server.[1][3] Examples of files from the C2 are amfidebilitate (jailbreak component), jbexec (executable to verify jailbreak), bb (FrameworkLoader), cc (launchctl binary for persistence), b.plist (configuration for auto-start), and resources.zip, which contains additional jailbreak-related components.[4]
Mobile T1430 Location Tracking

LightSpy has accessed the device’s GPS location.[1][2][6][4]
Mobile T1655 Masquerading

LightSpy has masqueraded a Mach-O executable as a png file.[3][4]
Mobile T1575 Native API

LightSpy's main executable and modules use native libraries to execute targeted functionality.[2][1][4][3]

Mobile T1423 Network Service Scanning

LightSpy uses the landevices module to enumerate devices on the same WiFi network through active scanning.[3][4][6]

Mobile T1509 Non-Standard Port

LightSpy has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.[2]

Mobile T1406 Obfuscated Files or Information

Using an XOR-chain algorithm, LightSpy decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key 3e2717e8b3873b29.[2][1][3][4] Additionally, LightSpy’s plugins have been encrypted during transmission.[4]
Mobile T1660 Phishing

LightSpy has delivered malicious links through Telegram channels and Instagram posts.[5][6]

Mobile T1424 Process Discovery

LightSpy has collected a list of running processes.[3][4]

Mobile T1631 Process Injection

LightSpy injects libcynject.dylib into the SpringBoard process to enable audio/video recording.[4]

Mobile T1636 .002 Protected User Data: Call Log

LightSpy has accessed the device’s call log.[1][2][3][6][4]
.003 Protected User Data: Contact List

LightSpy has accessed the device’s contact list.[1][2][3][6][4]
.004 Protected User Data: SMS Messages

LightSpy has accessed SMS messages.[1][2][3][4]
Mobile T1513 Screen Capture

LightSpy has a plugin that can take screenshots.[3][4]
Mobile T1582 SMS Control

LightSpy has sent and deleted SMS messages.[2][3][4]
Mobile T1418 Software Discovery

LightSpy has accessed a list of installed applications.[1][2][3][4]

Mobile T1409 Stored Application Data

LightSpy has collected payment history from WeChat Pay.[1][2][4]
Mobile T1426 System Information Discovery

LightSpy collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.[4][3][2][1]
Mobile T1422 System Network Configuration Discovery

LightSpy has collected device information such as IMEI, phone number, MAC address and IP address.[4]

.002 Wi-Fi Discovery

LightSpy uses the WifiList (or libWifiList) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.[1][4][3][2]
Mobile T1421 System Network Connections Discovery

LightSpy has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.[5][1][2][3][6]

Mobile T1512 Video Capture

LightSpy has the ability to take one picture, continuous pictures or event-related pictures using the device’s camera.[5][1][2][3][4] For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format.

Groups That Use This Software

ID Name References
G0096 APT41

[1]

References

  1. Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.
  2. ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.
  3. ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.
  1. Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.
  2. Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.
  3. Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.