Lightspy Expands to 100+ Commands, Increasing Control Over Windows, Macos, Linux, and Mobile
Summary:
Researchers have discovered an upgraded version of the LightSpy spyware, now equipped with expanded data collection features targeting social media applications like Facebook and Instagram. Originally identified in 2020 during attacks on Hong Kong users, LightSpy is a modular malware capable of infecting Windows and Apple systems to harvest sensitive data. The latest version expands its capabilities to collect Wi-Fi details, screenshots, location data, iCloud Keychain information, browser history, call and SMS logs, and data from various messaging apps, including WeChat, Telegram, and WhatsApp. Researchers have also linked LightSpy to DragonEgg, an Android malware, suggesting a broader cross-platform espionage operation.
Recent findings indicate that LightSpy now supports over 100 commands across multiple platforms, including Android, iOS, Windows, macOS, routers, and Linux. The latest update shifts its focus from direct data collection to broader operational control, allowing attackers to remotely manage infected devices and track plugin versions. Notably, LightSpy’s operators have enhanced their ability to extract Facebook and Instagram database files from Android devices while simultaneously removing iOS-specific destructive plugins. Additionally, researchers identified 15 Windows-specific plugins designed for keylogging, audio recording, and USB interaction, further expanding its surveillance capabilities. A hidden endpoint ("/phone/phoneinfo") within the malware’s admin panel was also uncovered, enabling operators to remotely control compromised mobile devices.
Security Officer Comments:
Meanwhile, Cyfirma researchers have exposed a new Android malware campaign targeting Indian users through a fraudulent finance app called SpyLend. Disguised as Finance Simplified on the Google Play Store, the app engaged in predatory lending, blackmail, and extortion. By leveraging location-based targeting, the malware displayed a list of unauthorized loan apps, such as KreditPro, MoneyAPE, Fairbalance, and PokketMe, to Indian users while presenting a harmless finance calculator interface to users outside India. Once installed, SpyLend requested extensive permissions to access files, contacts, call logs, SMS, clipboard data, and even the camera. Though the app has since been removed from the Play Store, it recorded over 100,000 downloads before its takedown.
Suggested Corrections:
To mitigate risks, defenders/users should:
https://thehackernews.com/2025/02/lightspy-expands-to-100-commands.html
Researchers have discovered an upgraded version of the LightSpy spyware, now equipped with expanded data collection features targeting social media applications like Facebook and Instagram. Originally identified in 2020 during attacks on Hong Kong users, LightSpy is a modular malware capable of infecting Windows and Apple systems to harvest sensitive data. The latest version expands its capabilities to collect Wi-Fi details, screenshots, location data, iCloud Keychain information, browser history, call and SMS logs, and data from various messaging apps, including WeChat, Telegram, and WhatsApp. Researchers have also linked LightSpy to DragonEgg, an Android malware, suggesting a broader cross-platform espionage operation.
Recent findings indicate that LightSpy now supports over 100 commands across multiple platforms, including Android, iOS, Windows, macOS, routers, and Linux. The latest update shifts its focus from direct data collection to broader operational control, allowing attackers to remotely manage infected devices and track plugin versions. Notably, LightSpy’s operators have enhanced their ability to extract Facebook and Instagram database files from Android devices while simultaneously removing iOS-specific destructive plugins. Additionally, researchers identified 15 Windows-specific plugins designed for keylogging, audio recording, and USB interaction, further expanding its surveillance capabilities. A hidden endpoint ("/phone/phoneinfo") within the malware’s admin panel was also uncovered, enabling operators to remotely control compromised mobile devices.
Security Officer Comments:
Meanwhile, Cyfirma researchers have exposed a new Android malware campaign targeting Indian users through a fraudulent finance app called SpyLend. Disguised as Finance Simplified on the Google Play Store, the app engaged in predatory lending, blackmail, and extortion. By leveraging location-based targeting, the malware displayed a list of unauthorized loan apps, such as KreditPro, MoneyAPE, Fairbalance, and PokketMe, to Indian users while presenting a harmless finance calculator interface to users outside India. Once installed, SpyLend requested extensive permissions to access files, contacts, call logs, SMS, clipboard data, and even the camera. Though the app has since been removed from the Play Store, it recorded over 100,000 downloads before its takedown.
Suggested Corrections:
To mitigate risks, defenders/users should:
- Restrict app permissions to prevent unnecessary access to sensitive data. On Android, use Privacy Dashboard to review and revoke permissions, and on iOS, enable App Privacy Reports to monitor background data access.
- Enable advanced device security features that limit the exploitability of devices. iOS users can turn on Lockdown Mode, which restricts attack surfaces, while Android users can enable Enhanced Google Play Protect and exploit protection settings to detect and block malicious activity.
- Examine historical system logs and forensic artifacts to determine whether the 2021-12-31 core version or related LightSpy components were present in previously undetected infections.
https://thehackernews.com/2025/02/lightspy-expands-to-100-commands.html