Spyware Campaign is Attempting to Infect the iPhone Users in Hong Kong with iOS Backdoor

smartphone app

A new campaign is seeking to hack Hong Kong users ‘ iPhones with an iOS backdoor that enables attackers to take over apps, Trend Micro says.

The attack included the use of false links shared on popular Hong Kong forums, which led users to real news pages where a hidden iframe can load and run malware. Vulnerabilities surrounding iOS 12.1 and 12.2 have been abused to launch a new piece of spyware named lightSpy.

With support for shell commands and file manipulation, the malware will allow an intruder to spy on users and gain complete control of the infected computers.

Modular in design, lightSpy allows the exfiltration of linked WiFi data, contacts, GPS location, device records, iOS keychain, phone call data, Safari and Chrome user history, SMS messages, and local network IP addresses.

Malware has also found to directly attack messaging apps such as Telegram, QQ, and WeChat.

Trent Micro’s protection researchers have uncovered similar attacks against Android devices in 2019, spreading malware APKs via public Hong Kong-based telegram networks. Android malware can exfiltrate computer information, addresses, and text messages, which referred to as dmsSpy.

The iOS program, which Trend Micro has dubbed Operation Poisoned News, is intended to exploit a significant range of backdoor and monitoring apps.

On February 19, security researchers uncovered a watering hole attack targeting iOS users with URLs leading to a fake website containing three iframes pointing to separate pages. Part of the iframes is accessible and links to a legal news article, the other is used for web monitoring, while the third refers to a platform containing the key iOS attack file.

Links have been added to popular Hong Kong-based forums that provide users with an app for quick access to mobile devices. The lures used by the attackers were either sex-related, click-bait-type stories or COVID-19 pandemic coverage.

“We do not believe that these topics were targeted at any users specifically; instead they targeted the users of the sites as a whole,” Trend Micro says.

The second form of irrigation hole assault contained a copied, legal link that was inserted with an iframe. This assault seems to have begun on January 2, but Trend Micro has not been able to figure out where connections to such domains have been spread.

The attacks lasted until March 20, when forum posters appeared to connect to the protest schedule in Hong Kong, but then linked to the same lightSpy infection chain.

As part of the attack chain, a quietly fixed Ios vulnerability that does not have a CVE code was attacked, and a custom kernel attack was used to get root privileges. The kernel bug refers to CVE-2019-8605, which Apple patched in the summer of 2019.

“Taken together, this threat allows the threat actor to thoroughly compromise an affected device and acquire much of what a user would consider confidential information. Several chat apps popular in the Hong Kong market were particularly targeted here, suggesting that these were the threat actor’s goals,” Trend Micro notes.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.