30 March 2023

Global spyware campaigns take advantage of zero-days in iOS, Android


Global spyware campaigns take advantage of zero-days in iOS, Android

Google’s Threat Analysis Group (TAG) detailed two distinct highly targeted spyware campaigns that used zero-day vulnerabilities and known but unpatched flaws in Android, iOS and Chrome to infect targets’ devices with commercial spyware.

The first campaign spotted in November 2022 targeted iOS and Android devices with two separate exploit chains that were delivered via bit.ly links sent over SMS. When clicked, the links redirected visitors to pages hosting exploits for either Android or iOS then redirected them to legitimate websites. This campaign was aimed at users in Italy, Malaysia and Kazakhstan.

The iOS exploit chain leveraged multiple flaws, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a PAC bypass technique, to deliver an .IPA file (iOS application archive) onto the affected device.

The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106 and consisted of three exploits: CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.

The second campaign was discovered in December 2022 and involved an exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser.

“The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor,” the team wrote.

This exploit chain included multiple 0-days and n-days: CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, as well as CVE-2023-26083.

“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools,” Google concluded.

Back to the list

Latest Posts

Free VPN provider SuperVPN exposes 360 million user records

Free VPN provider SuperVPN exposes 360 million user records

In total, 133GB of sensitive data including user email addresses, original IP addresses, and geolocation information is said to have been exposed in the leak.
29 May 2023
Cyber security week in review: May 26, 2023

Cyber security week in review: May 26, 2023

The world in brief: New ICS malware discovered, hacktivists expose Russian hacker wanted in the US, Pegasus spyware found in Armenia and Azerbaijan, and more.
26 May 2023
Barracuda’s email gateway appliances breached via zero-day bug

Barracuda’s email gateway appliances breached via zero-day bug

The vulnerability resided in a module which initially screens the attachments of incoming emails.
25 May 2023