Google’s Threat Analysis Group (TAG) has revealed tracking over 30 commercial spyware vendors that facilitate the spread of malware by government-backed threat actors.
Writing in a blog post published earlier today, TAG’s Clement Lecigne said these vendors are arming countries that would otherwise not be able to develop these tools.
“While the use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians,” Lecigne wrote.
In particular, the post describes two highly targeted campaigns leveraging various zero-day exploits against Android, iOS and Chrome devices.
The first of them is based on an iOS remote code execution vulnerability (CVE-2022-42856) and a heap buffer overflow vulnerability in the Chrome web browser (CVE-2022-4135). The campaign relied on bit.ly links sent over SMS to potential victims in Italy, Malaysia and Kazakhstan.
On iOS devices, this campaign eventually delivers a payload pinging back the GPS location of the device. It also gives the attacker the ability to install an .IPA file (iOS application archive) onto the victim’s machine. The attack chain was similar on Android, with the main difference being that the attackers targeted phones with an ARM GPU running Chrome versions before 106.
The second campaign observed by TAG was discovered in December 2022. It relied on a complete exploit chain consisting of multiple zero-days and n-days targeting the latest version of the Samsung Internet Browser.
“The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston,” Lecigne explained. “The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications.”
The researcher added that the threat actor behind this second campaign targeted UAE users and may be a customer or partner of Variston, or otherwise working closely with them.
“The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations. If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations,” Lecigne said.
Google confirmed it reported these vulnerabilities to the vendors, who promptly issued patches for all of them.