Google’s Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets’ devices.
The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022.
They used text messages pushing bit.ly shortened links to redirect the victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan after first sending them to pages triggering exploits abusing an iOS WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) bug.
On compromised iOS devices, the threat actors dropped a payload allowing them to track the victims’ location and install .IPA files.
As part of the same campaign, an Android exploit chain was also used to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.
“When ARM released a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo and others, did not incorporate the patch, resulting in a situation where attackers were able to freely exploit the bug for several months,” Google TAG’s Clément Lecigne said.
Second series of attacks against Samsung users
A second campaign was spotted in December 2022 after Google TAG researchers found an exploit chain targeting up-to-date Samsung Internet Browser versions using multiple 0-days and n-days.
Targets from United Arab Emirates (UAE) were redirected to exploit pages identical to the ones created by the Variston mercenary spyware vendor for its Heliconia exploitation framework and targeting a long list of flaws, including:
- CVE-2022-4262 – Chrome type confusion vulnerability (zero-day at time of exploitation)
- CVE-2022-3038 – Chrome sandbox escape
- CVE-2022-22706 – Mali GPU Kernel Driver vulnerability providing system access and patched in January 2022 (not addressed in Samsung firmware at the time of the attacks)
- CVE-2023-0266 – Linux kernel sound subsystem race condition vulnerability that gives kernel read and write access (zero-day at time of exploitation)
- The exploit chain also used multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266.
In the end, the exploit chain successfully deployed a C++-based spyware suite for Android, complete with libraries designed to decrypt and extract data from numerous chat and browser apps.
Both campaigns were highly-targeted and the attackers “took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” said Lecigne.
“These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools.”
The discovery of these exploit chains was prompted by findings shared by Amnesty International’s Security Lab which also published information regarding domains and infrastructure used in the attacks.
“The newly discovered spyware campaign has been active since at least 2020 and targeted mobile and desktop devices, including users of Google’s Android operating system,” Amnesty International added in a separate report today.
“The spyware and zero-day exploits were delivered from an extensive network of more than 1000 malicious domains, including domains spoofing media websites in multiple countries.”
Spyware vendor tracking efforts
This is part of an ongoing effort to keep an eye on the mercenary spyware market and track the zero-day vulnerabilities they’re exploiting to install their tools on the vulnerable devices of human rights and political activists, journalists, politicians, and other high-risk users worldwide.
Google said in May 2022 that it was actively tracking more than 30 vendors with variable levels of public exposure and sophistication known to sell surveillance capabilities or exploits to government-sponsored threat actors worldwide.
In November 2022, Google TAG researchers revealed that it had linked an exploit framework known as Heliconia and targeting Chrome, Firefox, and Microsoft Defender vulnerabilities to the Variston IT Spanish software company.
In June 2022, some Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs to infect the devices of Android and iOS users in Italy and Kazakhstan with commercial surveillance tools, according to Google.
One month earlier, another surveillance campaign was brought to light by Google TAG, where state-sponsored attackers exploited five zero-days to install Predator spyware developed by Cytrox.
Update March 29, 10:12 EDT: Added more info from Amnesty International’s report.