LightSpy Malware Expands Reach, Now Targeting Facebook & Instagram Data

Cybersecurity researchers have identified a new, enhanced version of the LightSpy spyware, which now boasts expanded data collection capabilities, particularly targeting Facebook and Instagram user data.

  Malware   Feb 26, 2025  Add to Reading List
LightSpy Malware Expands Reach, Now Targeting Facebook & Instagram Data

Cybersecurity researchers have identified a new, enhanced version of the LightSpy spyware, which now boasts expanded data collection capabilities, particularly targeting Facebook and Instagram user data.

LightSpy’s Evolution

Initially discovered in 2020, LightSpy is a modular surveillance tool capable of infecting Windows, macOS, iOS, Android, and even routers to harvest sensitive user information. The malware was previously linked to cyberattacks in Hong Kong and has continuously evolved.

Notable features of the updated LightSpy implant include:

  • Expanded plugin support – increasing from 12 to 28 plugins, improving cross-platform functionality.
  • Targeting social media – now capable of extracting Facebook and Instagram database files from Android devices.
  • New control functions – shifting focus from raw data theft to transmission management and plugin tracking for better operational flexibility.
  • Destructive capabilities removed – iOS-specific destructive plugins have been eliminated, suggesting a shift in attack strategy.

Advanced Surveillance Across Multiple Platforms

A deep dive into LightSpy’s command-and-control (C2) infrastructure reveals it supports over 100 commands across Android, iOS, Windows, Linux, and routers, allowing attackers to execute keylogging, audio recording, USB interaction, and remote device control.

Meanwhile, Hunt.io researchers discovered a hidden admin panel endpoint ("/phone/phoneinfo"), granting attackers remote access to infected mobile devices, though it's unclear whether this feature is new or previously undocumented.

Spyware Threats Expand Beyond LightSpy

LightSpy isn’t the only recent surveillance threat uncovered. Cybersecurity firm Cyfirma has exposed additional malware campaigns targeting Indian users:

  • SpyLend – A deceptive Android app called Finance Simplified that secretly installs predatory lending malware, collecting sensitive financial data while engaging in blackmail and extortion.
  • FinStealer – A banking malware impersonating legitimate banking apps to steal login credentials and execute fraudulent transactions, with Telegram bots used for covert data transmission.

Though the Finance Simplified app has been removed from Google Play, its 100,000+ installations highlight the growing sophistication of financially motivated cyber threats.

Growing Cyber Threats Demand Vigilance

The evolution of LightSpy and emerging financial malware showcase a rising trend of cybercriminals refining their tactics, focusing on social media surveillance, financial fraud, and remote control capabilities. Users and organizations must stay vigilant, regularly update security patches, and be cautious of suspicious apps and phishing links to mitigate risks.