Operation Poisoned News used local news links to hit iPhone users with spyware
Research published by security firms Trend Micro and Kaspersky reveals details of a watering-hole campaign targeting iPhone users.
Dubbed Operation Poisoned News, the campaign used malicious links on local news websites to install the LightSpy malware. Hackers have been exploiting vulnerabilities in iOS to install the spyware which can gather huge amounts of information and can also be used to take remote control of a device.
- Apple internally acknowledges Personal Hotspot problems in iOS 13 and iPadOS 13
- Why is Zoom secretly sharing data with Facebook?
- Apple now allows ads in push notifications on iPhone and iPad
The campaign was discover in the middle of January, and appears to have been designed to target iPhone users in Hong Kong. The perpetrators ensnared victims by posting links in various forums which purported to be local news stories. In reality, a hidden iframe was being used to load malicious code and install LightSpy.
In a write-up about the discovery, Trend Micro says:
The malware variant is a modular backdoor that allows the threat actor to remotely execute shell command and manipulate files on the affected device. This would an allow an attacker to spy on a user's device, as well as take full control of it. It contains different modules for exfiltrating data from the infected device, which includes:
- Connected WiFi history
- GPS location
- Hardware information
- iOS keychain
- Phone call history
- Safari and Chrome browser history
- SMS messages
Information about the user's network environment is also exfiltrated from the target device:
- Available WiFi network
- Local network IP addresses
Messenger applications are also specifically targeted for data exfiltration. Among the apps specifically targeted are:
Kaspersky says that it is "temporarily" calling this APT (advanced persistent threat) group "TwoSail Junk". It is believed that the campaign is linked to previous activity, and there is a related Android malware variant dating back to the latter end of last year. The security company says that LightSpy's "framework and infrastructure is an interesting example of an agile approach to developing and deploying surveillance framework".
The exploitable vulnerabilities are found in iOS 12.1 and 12.2, and simply updating to a newer version is all it takes to protect your iPhone.