Google’s Threat Analysis Group (TAG) uncovers new exploit chains that target zero-day and n-day vulnerabilities in Android, iOS, and Chrome. It install commercial spyware and malicious apps on targeted devices. The campaigns have highly targeted attacks, aimed at human rights and political activists, journalists, politicians, and other high-risk users worldwide.
Campaign 1: Exploit chains targeting iOS and android devices
Google’s TAG discovered that threat actors had used text messages containing bit.ly shortened links. It was to redirect victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan. These links would take the user to pages that trigger exploits using a WebKit remote code execution zero-day (CVE-2022-42856). Also a sandbox escape (CVE-2021-30900) bug. The attackers also used an Android exploit chain. This was to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135). Also an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.
When ARM released a fix for CVE-2022-38181, several vendors. It includes Pixel, Samsung, Xiaomi, Oppo, and others. It did not incorporate the patch, resulting in a situation where attackers could exploit the bug for several months freely. On compromised devices, the threat actors dropped a payload allowing them to track the victims’ location and install .IPA files.
Campaign 2: Exploit chains Samsung internet browser versions
In December 2022, Google’s TAG researchers found an exploit chain targeting up-to-date Samsung Internet Browser versions. It was done using multiple zero-days and n-days. Targets from the United Arab Emirates (UAE) were redirected to exploit pages identical to Variston commercial spyware vendor. For its Heliconia exploitation framework, targeting a long list of flaws.
The exploit chain successfully deployed a C++-based spyware suite for Android. It has libraries designed to decrypt and extract data from numerous chat and browser apps. The exploit chain exploited multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266.
Spyware vendor tracking efforts using zero day
Google’s TAG has been keeping an eye on the commercial spyware market and tracking the zero-day vulnerabilities they’re exploiting to install their tools on the vulnerable devices of high-risk users worldwide. In May 2022, Google stated that it was actively tracking over 30 vendors with variable levels of public exposure and sophistication known to sell surveillance capabilities or exploits to government-sponsored threat actors worldwide.
Google’s TAG researchers revealed in November 2022 that it had linked an exploit framework known as Heliconia and targeting Chrome, Firefox, and Microsoft Defender vulnerabilities to the Variston IT Spanish software company. In June, it reported that some Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs infect the devices of Android and iOS users in Italy and Kazakhstan with commercial surveillance tools.
In conclusion, these campaigns may indicate that exploits and techniques are being in sharing between surveillance vendors, enabling the proliferation of dangerous hacking tools. As the commercial spyware market continues to evolve, Google’s TAG will continue to monitor and track the vulnerabilities being exploited to ensure the security of high-risk users worldwide.
