The primary target of this spyware campaign were the unsuspecting users in Italy, Malaysia, and Kazakhstan.
Google’s Threat Analysis Group (TAG) has discovered two highly-targeted mobile spyware campaigns that use zero-day exploits to deploy surveillance software against iPhone and Android smartphone users.
Google TAG discovered two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. The campaigns used zero-day and n-day exploits, taking advantage of the period between when vendors release vulnerability fixes and when hardware manufacturers update end-user devices with those patches, creating exploits for unpatched platforms.
These discoveries highlight the importance of timely software patching by vendors and end-users to prevent malicious actors from exploiting known vulnerabilities. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of potentially dangerous hacking tools.
The first campaign (CVE-2022-42856; CVE-2022-4135) targeted versions of iOS and Android before 15.1 and ARM GPU running Chrome versions before 106, respectively. The payload of the exploit in the first campaign included a simple stager that pinged back the GPS location of the device and allowed the attacker to install an .IPA file onto the affected handset, which can be used to steal information.
The campaign targeted both Android and iOS devices, with initial access attempts delivered via Bit.ly URL shorter links sent over SMS to users located in the following three countries:
The second campaign (CVE-2022-4262; CVE-2023-0266), which included a complete exploit chain using both zero-days and n-days, targeted the latest version of the Samsung Internet browser.
The payload of the exploit in the second campaign was a C++-based, “fully-featured Android spyware suite” that included libraries for decrypting and capturing data from various chat and browser applications.
Google researchers suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston, a commercial spyware vendor.
It is worth noting that as reported by Hackread.com last year, Variston is a Barcelona-based company that Google TAG exposed for exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender while posing as a custom cybersecurity solutions provider.
TAG actively tracks commercial spyware vendors, with more than 30 currently under observation, and identifies exploits or surveillance capabilities sold to state-sponsored actors. These dangerous hacking tools arm governments with surveillance capabilities they would not be able to develop in-house.
These tools, including spyware, are often used to target dissidents, journalists, human rights workers, and opposition-party politicians, posing life-threatening risks.
Although the use of surveillance technology is generally legal under most national or international laws, governments have abused these laws and technologies to target individuals who do not align with their agendas.
Regulators and vendors alike have been cracking down on the production and use of commercial spyware since the revelation of governments abusing NSO Group’s Pegasus mobile spyware to target iPhone users came under international scrutiny.
On March 28, the Biden administration issued an executive order that restricts the use of commercial surveillance tools by the federal government, but Google’s findings show that these efforts have not thwarted the commercial-spyware scene.
It is imperative that regulations governing the production and use of commercial spyware be strengthened to ensure that they are not used to target individuals in violation of their fundamental rights.
The discoveries demonstrate that those creating the exploits are keeping a close eye on vulnerabilities they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices.
- Google cracks down on sites with ties to hack-for-hire groups
- Israeli Spyware Vendor Use Chrome 0day to Target Journalists
- ISPs Helping Attackers Install Hermit Spyware on Smartphones
- Malware vendor returns with yet another nasty Android malware
- European Spyware Vendor Offer Android and iOS Device Exploits