iPhone 15

Around this time just one week ago, iPhone users in 92 counties received a bizarre notification on their device.

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID,” read the notification. “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”

Apple posted an announcement on its website giving basic details for why the company would generally send out a notification warning like this. However, the company has been relatively mum on the situation since. And it never quite disclosed the exact threat that spurred Apple to send out that notification to those users at that specific time.

Now, a new report appears to have solved the mystery.

China-linked LightSpy spyware

The Apple news outlet Apple Insider noticed a report by Blackberry — yes, the mobile phone company that was popular in the 2000s and has since pivoted into a cybersecurity firm — that appears to have gotten to the bottom of the spyware notification situation.

According to Blackberry, the spyware that iPhone users were warned about is called LightSpy, which is described in the report as a “sophisticated iOS implant.” 

The report points out that this is a concerning development because LightSpy was last seen used in a campaign during the 2020 political protests in Hong Kong. So, this latest attack appears to be a reemergence of LightSpy.

LightSpy is “a fully-featured modular surveillance toolset,” according to Blackberry. The spyware can pull targets’ private information, which includes pinpoint-accurate location data as well as data from messaging applications, text messages, phone call history, and web browser history. It can even create sound recordings from the device, including recording during VOIP calls. 

LightSpy has been used by attackers to target individuals in Southeast Asia, including India, for the most part, which explains why those notifications were mostly received by iPhone users located in that general region. The messaging apps mentioned in Blackberry’s report are among the most popular in that part of the world: QQ, WeChat, and Telegram. In addition, LightSpy can pull payment history from targets from the WeChat Pay service.

Blackberry believes this attack was once again perpetrated by China-based or native Chinese-speaking actors, as with previous LightSpy campaigns, and there’s a potential for state-sponsored involvement as well.

The report recommends that users who have reason to be targeted, whether due to their employment or activism, utilize Apple’s Lockdown Mode, which the iPhone-maker describes as a feature used to “protect devices against extremely rare and highly sophisticated cyber attacks.”