Global spyware campaigns take advantage of zero-days in iOS, Android

Global spyware campaigns take advantage of zero-days in iOS, Android

Google’s Threat Analysis Group (TAG) detailed two distinct highly targeted spyware campaigns that used zero-day vulnerabilities and known but unpatched flaws in Android, iOS and Chrome to infect targets’ devices with commercial spyware.

The first campaign spotted in November 2022 targeted iOS and Android devices with two separate exploit chains that were delivered via bit.ly links sent over SMS. When clicked, the links redirected visitors to pages hosting exploits for either Android or iOS then redirected them to legitimate websites. This campaign was aimed at users in Italy, Malaysia and Kazakhstan.

The iOS exploit chain leveraged multiple flaws, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a PAC bypass technique, to deliver an .IPA file (iOS application archive) onto the affected device.

The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106 and consisted of three exploits: CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.

The second campaign was discovered in December 2022 and involved an exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser.

“The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor,” the team wrote.

This exploit chain included multiple 0-days and n-days: CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, as well as CVE-2023-26083.

“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools,” Google concluded.

Back to the list

Latest Posts

Qantas alerts customers to potential data breach after third-party cyberattack

Qantas alerts customers to potential data breach after third-party cyberattack

Attackers accessed and exfiltrated data from the compromised platform.
2 July 2025
US sanctions Russian bulletproof hosting for supporting cybercrime

US sanctions Russian bulletproof hosting for supporting cybercrime

The sanctions target Aeza Group’s parent entity, subsidiaries, and four individuals linked to the company’s leadership and operations.
2 July 2025
US agencies warn of rising cyber threats from Iran-linked hackers

US agencies warn of rising cyber threats from Iran-linked hackers

Recent months have seen a notable uptick in activity from Iranian-linked hacktivists and government-affiliated threat groups.
1 July 2025