Inside LightSpy Android malware
- The main functionalities of the Core include gathering device fingerprints, establishing a full connection with the C2 server, and retrieving commands from the server.
- In total, LightSpy Core supports 24 different commands, with one of them giving instructions to update itself and the plugins.
About the new plugins
Researchers observed 14 plugins from 20 active servers that are capable of exfiltrating a variety of sensitive data and capturing screenshots from multiple messaging apps and systems. Out of these, three plugins get a special mention. These are:
- Location module plugin: It is responsible for tracking the current location of users via snapshots taken during specific time intervals.
- Soundrecord plugin: It can start a microphone recording, even during incoming phone calls. Furthermore, the plugin can record WeChat VoIP audio conversations using a native library called libwechatvoipCoMm.so.
- Bill plugin: This plugin is responsible for stealing the payment history of WeChat Pay, which includes the last bill ID, bill type, transaction ID, date, and payment processing flag.
Researchers have found several active servers across China mainland, Hong Kong, Taiwan, Singapore, and Russia, which suggests that the threat remains active in the wild. Furthermore, since the attackers primarily leverage popular software/applications as a channel for distribution, users are advised to avoid installing software from untrusted sources.