PSA: iOS, Android users in Southeast Asia are being targeted by spyware

We have just received word from Kaspersky that there is an ongoing “watering-hole” campaign that is targeting mobile users in the Southeast Asian region, known simply as LightSpy. According to the cybersecurity experts, the spyware has successfully infested iPhones and Android smartphones, while researchers have also found indicators of malware affecting Macs, Windows PCs, Linux, and Linux-based routers.

The perpetrators behind the attacks haven’t been identified just yet, although Kaspersky has given them the temporary name of TwoSail Junk.

What is a watering-hole attack?

A watering-hole attack is when perpetrators look to compromise the machines of a specific group of users; this is done by infecting certain websites that this particular group of users would usually visit. That explains the name of the attack: a watering hole in the wild that animals in the area would collectively visit for water.

In this case, links to these malicious websites are posted on forums posts, instant messengers, and other communication platforms. Once the the link brings a victim to a (cloned) landing page, malware infects a user’s device—among other things, this allows for the perpetrators to have access to calls, audio, messages, and other private data on victims’ mobile devices.

Who is most at risk?

Kaspersky warns that users of iPhones who are running iOS versions of 12.2 (and older) are vulnerable to the spyware, while Android smartphone users have also been targeted.

“We tracked this particular framework and infrastructure beginning in January this year. It is an interesting example of an agile approach to developing and deploying surveillance framework in Southeast Asia.”

Users in Hong Kong were subjected to a large scale attack in January of this year, with iOS users led to fake landing pages for popular websites that were popular with residents. Again, links were spread through popular forums in the region—and the scariest bit? Victims’ devices were compromised simply by visiting these fake sites.

“There was no need even to tap anything.”

– Kaspersky

Tips to stay safe

In general, the usual advice applies. Avoid clicking on links that are suspicious in nature, especially those that come with vague promises that offer exclusive products/content. Avoid unsecured websites by ensuring that URLs begin with “https“, and ensure the authenticity of a site by doing some research online first. A good tip is also to examine the spelling of website names in URLs; CincauSoya would be a good example of this.

Additionally, you should keep all of your devices up to date with any OS updates. As mentioned, the spyware has been confirmed to have successfully compromised iOS devices on iOS 12.2 and older—Kaspersky says that users running iOS 13.4 should be safe from the spyware. Android users should also stay up to date so that any security vulnerabilities are patched.

For a more detailed breakdown, click here.