Google: Spyware campaigns exploiting security holes in Android, iOS

Highly targeted campaigns are a reminder that 'the commercial spyware industry continues to thrive,' researchers warn

Google's Threat Analysis Group (TAG) has uncovered two highly targeted spyware campaigns that are using both known vulnerabilities and zero-day exploits in Android, iOS and Chrome to install malicious apps and commercial spyware on the devices of the intended targets.

Google security engineer Clement Lecigne published a blog post on Wednesday outlining the findings of TAG's discovery of two "limited and highly targeted" spyware campaigns.

TAG discovered the first campaign in November 2022 and found that threat actors were using exploits targeting both Android and iOS devices.

This campaign targeted specific individuals in Italy, Malaysia and Kazakhstan and utilised the Bitly link-shortening service to deliver the exploits to the targets.

Upon clicking the links, visitors were redirected to pages hosting exploits specifically tailored for either Android or iOS devices.

The targets were then redirected to legitimate websites, such as the shipment tracking page of the Italian logistics company BRT or a popular Malaysian news website.

The iOS exploit chain used in the campaign specifically targeted devices running versions of iOS prior to 15.1. The chain consisted of multiple exploits, including a zero-day exploit designated CVE-2022-42856, which exploited a vulnerability in WebKit that allowed for remote code execution.

Another exploit in the chain exploited CVE-2021-30900, a sandbox escape and privilege escalation vulnerability in AGXAccelerator.

The Android exploit chain in this campaign was specifically designed to target users on phones with an ARM GPU running versions of Chrome prior to 106.

This chain utilised three exploits, one of which was a zero-day exploit at the time of exploitation and designated as CVE-2022-4135. The other two exploits used in the chain were CVE-2022-3723 and CVE-2022-38181.

The exploit payload in this campaign consisted of a simple stager. Upon successful exploitation, the stager pinged back the GPS location of the target device to the attacker, allowing them to install an .IPA file onto the affected handset. This file could then be used by the attacker to steal sensitive information from the target.

Second campaign

TAG uncovered the second campaign in December 2022, which utilised a complete exploit chain consisting of multiple zero-day and n-day exploits, including CVE-2022-4262, CVE-2023-0266, CVE-2022-3038 and CVE-2022-22706, targeting the latest version of the Samsung Internet Browser.

The exploits were delivered to target devices in the United Arab Emirates (UAE) through one-time links sent via SMS.

Once the SMS links were clicked, users were directed to a landing page that was identical to the one that TAG had previously examined in the Heliconia framework developed by the commercial spyware vendor Variston.

The exploit chain in this campaign ultimately delivered a fully-featured Android spyware suite written in C++. It included libraries that enabled the decryption and capture of data from various chat and browser applications.

According to Google, the actor responsible for using the exploit chain to target users in the UAE could potentially be a customer or partner of Variston, or could be working closely with the spyware vendor.

Amnesty International's Security Lab said in its report that this campaign has been active since at least 2020 and targeted both mobile and desktop services.

It added that exploits in the campaign were delivered from a network of over 1,000 malicious domains.

The researchers also identified additional campaign-related activity in Indonesia, Belarus and Italy, adding that these nations are likely just a minor fraction of the larger campaign, given the widespread nature of the attack infrastructure.

"Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices," said Donncha Ó Cearbhaill, head of Amnesty International's Security Lab.

"While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis. We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists."

TAG researchers have reported that they are currently tracking over 30 vendors who sell exploits or surveillance capabilities to government-backed actors, each with varying levels of sophistication and public exposure.

They have warned that these campaigns are a reminder that the commercial spyware industry continues to thrive.

The latest revelation comes just two days after it emerged that at least 50 US government personnel were targeted with commercial spyware, allowing hackers to gain access to and spy on the victims' devices.

Senior officials at the White House disclosed that the known victims worked in "at least 10 countries" spanning different continents and that there could be more such instances.

President Biden issued an executive order on Monday prohibiting US government agencies from using commercial spyware if it presents a danger to national security or human rights. The new presidential order is meant to put pressure on the secretive business by placing additional restrictions on US government intelligence, law enforcement and military purchase decisions.