Recent investigations by Google’s Threat Analysis Group (TAG) have uncovered the exploitation of several zero-day vulnerabilities last year, employed by commercial spyware vendors to target mobile devices on both Android and iOS platforms.
These two separate yet focused campaigns exploited the vulnerability gap that occurs between the announcement of fixes and their implementation on affected devices. Detailed information regarding the size of these campaigns and the specific targets involved remains largely unspecified.
Clement Lecigne from TAG noted the concerning trend of spyware vendors fueling the expansion of sophisticated cyber espionage tools that empower governments lacking the technical expertise to develop such capabilities internally. Such surveillance technologies, while potentially legal under various national or international statutes, have become instruments for governments that pursue dissidents, journalists, and political opponents.
The first operation, which came to light in November 2022, involved the dissemination of shortened URLs via SMS to users in countries including Italy, Malaysia, and Kazakhstan. When recipients clicked on these links, they were redirected to pages that hosted exploits targeting either Android or iOS devices before being sent to legitimate news sites or shipment tracking services.
In terms of the specifics, the iOS exploit chain utilized multiple vulnerabilities, including the then-zero-day CVE-2022-42856, alongside CVE-2021-30900 and a bypass for pointer authentication code (PAC), to install a malicious .IPA file onto the compromised device. The Android exploitation process involved a combination of three exploits: CVE-2022-3723, CVE-2022-4135 (also a zero-day at the time), and CVE-2022-38181. These were employed to deliver an undisclosed payload.
Notably, CVE-2022-38181, a privilege escalation vulnerability in the Mali GPU Kernel Driver, had been patched by Arm in August 2022, raising questions about whether adversaries were aware of this exploit before the patch’s announcement. Additionally, it was observed that Android users who accessed these links through the Samsung Internet Browser were redirected to Chrome via a technique known as intent redirection.
The second campaign, detected in December 2022, involved multiple zero-day and n-day vulnerabilities specifically targeting the latest version of the Samsung Internet Browser. These exploits were again delivered through SMS as ephemeral links to users in the United Arab Emirates.
The landing page crafted for this attack mirrored those used by the Spanish spyware vendor Variston IT, ultimately deploying a C++-based toolkit capable of extracting sensitive data from messaging and web applications. The vulnerabilities exploited in this instance included CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, and CVE-2023-26083. It is believed that this exploit chain was utilized by partners or customers of Variston IT.
According to a coordinated report by Amnesty International, this December hacking initiative was characterized as advanced and sophisticated, with exploits sourced from a commercial surveillance firm sold to government-backed hackers for targeted attacks. The report emphasized that this spyware operation has been active since at least 2020 and has targeted both mobile and desktop devices, including Android users.
These findings emerged shortly after the announcement of a U.S. executive order prohibiting federal agencies from utilizing commercial spyware deemed a national security risk. Lecigne highlighted that these incidents serve as a stark reminder of the thriving industry surrounding commercial spyware, where even smaller vendors gain access to zero-day vulnerabilities, heightening the risk to the cybersecurity landscape.
Additionally, the possibility of information exchange between surveillance firms, concerning exploits and tactics used, raises significant alarms about the proliferation of dangerous hacking tools and methodologies.