A recent iOS-targeting version of the LightSpy malware includes over a dozen new plugins, many with destructive capabilities, according to cybersecurity firm ThreatFabric.

The LightSpy malware came to light in 2020, after it was observed targeting the iPhones of users in Hong Kong. Threat actors had been attempting to take over devices and steal data using the malware.

The attackers at the time had exploited iOS vulnerabilities to deliver the spyware and collect a wide range of information from compromised devices, including location, call and browser history, messages, and passwords.

More recent research led to the discovery of Android and macOS versions of LightSpy as well. 

Earlier this year, BlackBerry reported seeing LightSpy mobile espionage campaigns aimed at users in South Asia, with evidence suggesting that India was likely targeted. BlackBerry found evidence indicating that LightSpy may be the work of a state-sponsored group of Chinese origin.

ThreatFabric earlier this year came across a newer version of LightSpy for iOS and determined that — in addition to updates made to the core of the malware — the number of plugins it uses to perform various tasks has increased from 12 to 28. The company disclosed its findings on Tuesday.

The company’s researchers found that the malware is now capable of targeting newer versions of iOS — up to iOS 13.3 — compared to the previously seen LightSpy. The new LightSpy for iOS exploits CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation.

The exploit is likely delivered through malicious websites that exploit CVE-2020-9802, a remote code execution vulnerability in Safari. The exploit chain then involves a jailbreak stage, a loader stage, and the delivery of the malware core.