Security researchers at Hunt.io have identified an updated version of the LightSpy spyware, now equipped with enhanced data collection capabilities. The malicious software can now extract information from social media platforms, including Facebook and Instagram.
LightSpy spyware is a modular surveillance tool capable of infecting Windows and macOS systems, as well as mobile devices. First detected in 2020, its initial attacks primarily targeted users in Hong Kong.
The malware is designed to harvest a broad spectrum of sensitive data, including Wi-Fi network details, screenshots, geolocation data, iCloud keychains, audio recordings, photographs, browsing history, contacts, call logs, and SMS messages. Furthermore, it has the ability to exfiltrate data from widely used applications such as Telegram, WhatsApp, WeChat, LINE, and Tencent QQ.
A 2023 analysis by ThreatFabric revealed that LightSpy had recently undergone a significant upgrade, increasing the number of supported plugins from 12 to 28. Additionally, the malware has been equipped with disruptive functionalities that can prevent infected devices from rebooting. Researchers have previously noted similarities between LightSpy and the Android-based DragonEgg, suggesting that the threat is cross-platform in nature.
The latest Hunt.io report details the existence of over 100 operational commands within LightSpy’s command-and-control (C2) infrastructure, spanning Android, iOS, Windows, macOS, routers, and Linux. The malware’s functionality has expanded beyond mere data theft, evolving into a comprehensive remote administration tool. Notably, new commands have been introduced to control data transmission and track plugin versions.
One particularly alarming development is the ability to extract entire Facebook and Instagram databases from Android devices. However, forensic analysis indicates that the iOS variant no longer includes plugins responsible for destructive actions on infected devices. Additionally, 15 Windows-specific plugins have been identified, tailored for keylogging, audio recording, and interaction with USB devices.
Researchers have also uncovered an administrative control panel featuring remote management capabilities for compromised mobile devices. It remains unclear whether this feature is a recent addition or had simply gone unnoticed in previous investigations.
The expansion of LightSpy’s capabilities signals an escalation in surveillance efforts targeting social media users. Analysts emphasize that the exfiltration of Facebook and Instagram databases provides attackers with access to private messages, contact lists, and metadata, significantly broadening the scope for exploiting stolen information.
Meanwhile, researchers at Cyfirma have recently disclosed details about another malware strain—SpyLend, which was distributed via Google Play under the guise of a financial application, Finance Simplified. The spyware targeted users in India, leveraging predatory lending tactics and extortion schemes. According to reports, the malware granted itself extensive privileges, including access to contacts, files, call logs, SMS messages, and even the device camera. To evade Google Play security checks, the app masqueraded as a financial tool for international users.
Experts warn that cybercriminals continue to expand their arsenal, refining both surveillance mechanisms and financial fraud techniques. Users are strongly advised to exercise caution when installing applications and to scrutinize permission requests carefully to mitigate potential risks.
