Dangerous LightSpy malware is now targeting macOS devices — here’s what we know

LightSpy framework comes with 10 modules

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The infamous LightSpy surveillance framework has made it to Mac devices after researchers discovered a new version designed for theAppleOS.

Experts from ThreatFabric claim to have found evidence of in-the-wild use since at least January 2024, despite LightSpy previously being limited to Android and iOS devices.

As an extensive mobilemalware, LightSpy was found to be capable of exfiltrating contacts information from compromised devices, harvesting messages from both SMS and iMessages, and tracking people’s location via GPS location data. It is also capable of accessing photos, videos, and other multimedia data stored on the device, collecting device information (model,operating systemversion, etc.), and exfiltrating browser data (browser history and similar).

Older macOS targeted

Attackers have typically targeted people in the Asia-Pacific region with LightSpy, and while expanding into macOS territory is certainly worrisome, there are a few key pointers: LightSpy’s operations seem to be limited to testing environments, with cybersecurity researchers owning “a handful of infected machines”. Furthermore, the targets are only macOS 10.13.3 users, so those with macOS 14 should be safe.

To compromise the endpoints, the attackers are leveraging two known WebKit flaws, tracked as CVE-2018-4233 and CVE-2018-4404.

A surveillance framework differs somewhat from your average malware, by using different plugins. For the Android version, LightSpy used 13 plugins, while for iOS - 16.

The macOS version, however, has 10 plugins: one to grab microphone data, one to pull browser information, one to use the device’s camera, one to pull files, one to grab macOS Keychain information, one to identify other devices on the same LAN, one to list installed apps and running processes, one to record screen activity, one to run commands, and one to collect Wi-Fi data.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

Google is testing interactive voice searches with results that update in real time