Dangerous LightSpy malware is now targeting macOS devices — here's what we know

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

The infamous LightSpy surveillance framework has made it to Mac devices after researchers discovered a new version designed for the Apple OS.

Experts from ThreatFabric claim to have found evidence of in-the-wild use since at least January 2024, despite LightSpy previously being limited to Android and iOS devices.

As an extensive mobile malware, LightSpy was found to be capable of exfiltrating contacts information from compromised devices, harvesting messages from both SMS and iMessages, and tracking people’s location via GPS location data. It is also capable of accessing photos, videos, and other multimedia data stored on the device, collecting device information (model, operating system version, etc.), and exfiltrating browser data (browser history and similar).

Older macOS targeted

Attackers have typically targeted people in the Asia-Pacific region with LightSpy, and while expanding into macOS territory is certainly worrisome, there are a few key pointers: LightSpy’s operations seem to be limited to testing environments, with cybersecurity researchers owning “a handful of infected machines”. Furthermore, the targets are only macOS 10.13.3 users, so those with macOS 14 should be safe. 

To compromise the endpoints, the attackers are leveraging two known WebKit flaws, tracked as CVE-2018-4233 and CVE-2018-4404.

A surveillance framework differs somewhat from your average malware, by using different plugins. For the Android version, LightSpy used 13 plugins, while for iOS - 16.

The macOS version, however, has 10 plugins: one to grab microphone data, one to pull browser information, one to use the device’s camera, one to pull files, one to grab macOS Keychain information, one to identify other devices on the same LAN, one to list installed apps and running processes, one to record screen activity, one to run commands, and one to collect Wi-Fi data.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.