Apple iOS users in Hong Kong have been targeted by a large-scale spyware operation using news links posted in popular online forums to snare victims, according to Trend Micro.
In what the vendor is calling Operation Poisoned News, links in four different forums frequented by Hong Kong residents were found to use a hidden iframe to execute malicious code, exploiting flaws in iOS 12.1 and 12.2.
“The articles were posted by newly registered accounts on the forums in question, which leads us to believe that these posts were not made by users resharing links that they thought were legitimate,” said Trend Micro.
“The topics used as lures were either sex-related, clickbait-type headlines or news related to the COVID-19 disease.”
Alternatively, hackers copied a legitimate website and injected it with a malicious iframe.
The distribution of links to these malicious sites started on January 2, Trend Micro said.
The exploit chain includes a Safari bug which has no CVE, and a customized kernel exploit related to CVE-2019-8605. The final spyware payload, lightSpy, is designed to take full control of a victim’s device, exfiltrating GPS data, SMS messages, browsing history, contacts and content from messaging apps Telegram, QQ and WeChat.
A similar campaign was uncovered targeting Android devices in 2019, using spyware dubbed dmsSpy. It’s believed the two are linked.
“The design and functionality of operation suggests that the campaign isn’t meant to target victims, but aims to compromise as many mobile devices as possible for device backdooring and surveillance,” said Trend Micro.
The vendor refused to be drawn on the potential source of the attack. However, given the current political climate and widespread criticism of the Chinese Communist Party’s handling of the COVID-19 pandemic, Beijing-backed spies would be a natural choice.