Google’s Threat Analysis Group (TAG) detailed two distinct highly targeted spyware campaigns that used zero-day vulnerabilities and known but unpatched flaws in Android, iOS and Chrome to infect targets’ devices with commercial spyware.
The first campaign spotted in November 2022 targeted iOS and Android devices with two separate exploit chains that were delivered via bit.ly links sent over SMS. When clicked, the links redirected visitors to pages hosting exploits for either Android or iOS then redirected them to legitimate websites. This campaign was aimed at users in Italy, Malaysia and Kazakhstan.
The iOS exploit chain leveraged multiple flaws, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a PAC bypass technique, to deliver an .IPA file (iOS application archive) onto the affected device.
The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106 and consisted of three exploits: CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.
The second campaign was discovered in December 2022 and involved an exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser.
“The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor,” the team wrote.
This exploit chain included multiple 0-days and n-days: CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, as well as CVE-2023-26083.
“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools,” Google concluded.