Cybersecurity researchers have flagged an updated version of the Lightspy implant, which has an expanded set of data collection capabilities to extract information from social media platforms such as Facebook and Instagram.
Lightspy is the name given to modular spyware that can infect both Windows and Apple systems with the aim of harvesting data. It was first documented in 2020, targeting Hong Kong users.
This includes Wi-Fi network information, screenshots, locations, iCloud keychains, sound recordings, photos, browser history, contacts, call history, SMS messages, and files, lines, mail masters, telegrams, Tencent QQ, and more. It includes data from various apps. wechat, and whatsapp.
Late last year, ThreatFabric expanded the number of supported plugins from 12 to 28, as well as detailed updated versions of malware that incorporate destructive features to prevent compromised devices from booting up I’ve explained it.
Previous findings also reveal potential overlap between Android malware named Lightspy and Dragonegg, highlighting the cross-platform nature of the threat.
The latest analysis of Hunt.io’s spyware-related malicious command-and-control (C2) infrastructure reveals support for over 100 commands across Android, iOS, Windows, MacOS, Routers and Linux .
“The new command list shifts focus from direct data collection to a wider range of operational controls, including transmission management (‘subscription control’) and plug-in version tracking (‘subscription information’),” the company said. It states.
“These additions suggest a more flexible and adaptable framework, allowing Lightspy operators to manage their deployments more efficiently across multiple platforms.”
Of note among the new commands, the ability to target Facebook and Instagram application database files for data extraction from Android devices. However, with an interesting twist, threat actors removed iOS plugins related to destructive behavior in the victim’s host.
Additionally, 15 Windows-specific plugins have been discovered designed for system monitoring and data collection, most of which are directed towards keylogging, audio recording and USB interactions.
Threat Intelligence Firm also found an endpoint (“/PhoneInfo”) that logged in with the ability to remotely control a user’s infected mobile device. It is currently unclear whether these represent new developments or older versions that have not been previously documented.
“The migration from targeting messaging applications to Facebook and Instagram expands Lightspy’s ability to collect private messages, contact lists and account metadata from widely used social platforms,” Hunt.io said. It’s there.
“Extracting these database files can potentially provide attackers with conversations, user connections, and session-related data, increasing their surveillance capabilities and opportunities for further exploitation.”
This disclosure has disclosed details on the Google Play Store about Android malware called Spylend, named a financial app called Simplified (apk Name “com.someca.count”), but it has been plundered, threatened, postponed and It occurs when you are engaged in something that has been postponed. Indian users.
“By leveraging location-based targeting, the app displays a list of rogue loan apps that work perfectly within WebView, allowing attackers to bypass playstore scrutiny,” the company said. .
“Once installed, these loan apps will harvest sensitive user data, implement exploitative lending practices, and employ frightening email tactics to force money.”
Some of the ad loan apps are Kreditpro (formerly Kreditapple), Moneyape, Stashfur, Fairbalance, and Pokketme. Users installing simplified finance from outside India will be provided with a harmless WebView listing various calculators for personal finance, accounting and taxation, making campaigns specifically targeted at Indian users. It suggests that it is designed.
This app is no longer available for download from the official Android App Marketplace. According to statistics available at Sensor Tower, the application was released around mid-December 2024 and attracted over 100,000 installations.
“When initially presented as a harmless financial management application and installed, it accesses files, contacts, call logs, SMS, clipboard content, as well as files, contacts, call logs, clipboard content, and even sensitive data. Download fraud loan apps from external download URLs to get extensive permissions to the camera, Cyfirma pointed out.
Indian retail bank customers are impersonating legal banking apps, but are codenamed Malware, designed to promote financial fraud by collecting login credentials and carrying out fraudulent transactions. It has also become a target for another campaign to distribute Finstealer.
“These fake apps distributed via phishing links and social engineering closely mimic legitimate banking apps, as if revealing their credentials, financial data and personal information to users. “We’re doing that,” the company said.
“With Telegram Bots, malware can receive instructions without question and send stolen data, making it even more difficult for security systems to detect and block communications.”
Source link
