Cyber security researchers have marked an updated version of LightSpie implant that is equipped with an extended set of data collection features to remove information from social media platforms such as Facebook and Instagram.
Lightspy is a name given to a modular spyware that is capable of infecting both Windows and Apple System for the purpose of cutting data. It was first documented in 2020, targeting users in Hong Kong.
It includes Wi-Fi network information, screenshot, location, icloud kitchen, sound recording, photo, browser history, contact, call history and SMS messages, and data from various apps like files, line, mail master, telegram, tenseth cucu, And the data includes. Wechhat, and WhatsApp.
At the end of last year, Walrantfabric expanded an updated version of the malware, including expanding the number of plugins supported from 12 to 28 as well as included disastrous capabilities to prevent the device compromised from booting. Is.
Previous findings have also highlighted the potential overlap between lightsp and an Android malware, named Dragongon, which exposes the cross-platform nature of danger.
The latest analysis of hunt.io’s malicious command-and-control (C2) infrastructure has highlighted support for more than 100 commands of Android, iOS, Windows, McOS, router and Linux.
The company said, “The new command list focuses on direct data collection to comprehensive operational control, including transmission management (” “) and plugin version tracking (” “).”
“These additions suggest a more flexible and adaptable structure, allowing lightsap operators to manage more efficiently deployment on many platforms.”
Facebook and Instagram app have the ability to target database files for data extraction from notable Android devices between the new commands. But in an interesting turn, the danger actors have removed iOS plugins associated with disastrous functions on the aggrieved hosts.
It is also designed for 15 Windows-specific plugins discovered, designed for system monitoring and data collection, most of which are leading to kelogging, audio recording and USB interactions.
The Threat Intelligence firm said it discovered a closing point (“/phone/phoninfo”) in the administrator panel, which gives log-in users the ability to control infected mobile devices from distance. It is not currently known whether they represent new development or represents the older versions already specified.
“Hunt.IO said,” from targeting messaging applications on Facebook and Instagram, to collect personal messages, contact lists and expand the ability to collect metadata from social platforms widely used. ,
“Withdrawing these database files can be provided with the attackers with conversations, user connections and potential sessions-related data, with enhancing surveillance capabilities and further exploitation opportunities.”
Comes as disclosure because Cyfirma has revealed the details of Android Malware, which is a financial app as a financial app called Finance (APK name “Com.Someca.count”) on Google Play Store. , But this hunter is attached to debt, blackmail, and forcible, the purpose of which is aimed at. Indian users.
“By taking advantage of location-based targeting, the app displays a list of unauthorized loan apps that work entirely within the webview, allowing the attackers to bypass the play store’s investigation,” the company said.
“Once established, these debt apps harvest sensitive users, apply exploitative lending practices, and employ blackmail strategies to withdraw money.”
Some of the advertised loan apps are Kredtpro (East Kreditapple), Moneyp, Stashfur, Fairbaline and Pokateme. Users who establish simplified finances from outside India are served a harmless webwue that lists various calculators for personal finance, accounting and taxation, suggests that the campaign is especially to target Indian users to target the campaign Is designed.
The app is no longer available for download from the official Android app marketplace. According to the data available on the sensor tower, the application was published in mid -December 2024 and more than 100,000 establishments were attracted.
“Initially presented as a harmless finance management application, it downloads a fraud loan app from an external download URL, which was once installed, sensitive with files, contacts, call logs, SMS, clipboard materials The data obtains wide permission to access, and even The camera, “Cyfirma reported.
Indian retail banking customers have also become the goal of another campaign, which distributes a malware codenamed finestler that implements legitimate bank apps, but login credentials are engineered to facilitate financial fraud by collecting credentials and carrying out unauthorized transactions. .
“Fishing links, and distributed via social engineering, are closely mimicking the legitimate bank apps by fake apps, revealing users credentials, financial data, and personal details,” the company said.
“Using telegram bots, malware can get instructions and send data without increasing doubt, making it more difficult to detect and block communication for security systems.”
