Google’s Threat Analysis Group (TAG) has discovered multiple exploit chains using zero-day and n-day vulnerabilities in Android, iOS, and Chrome to install commercial spyware and malicious apps on target devices.

Attackers targeted iOS and Android users with separate exploit chains in an initial campaign spotted in November 2022.

They used text messages pushing bit.ly shortened links to redirect victims to legitimate shipping websites from Italy, Malaysia and Kazakhstan after first sending them to pages that trigger exploits abusing a WebKit zero-day remote code execution (CVE-2022-42856) and a sandbox output (CVE-2021-30900) bug.

On compromised devices, threat actors dropped a payload that allowed them to track victims’ locations and install .IPA files.

In this campaign, an Android exploit chain was also used to attack ARM GPU-equipped devices with a zero-day Chrome GPU bypass sandbox (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome-like confusing bug (CVE-2022-3723) with an unknown payload.

“When ARM released a patch for CVE-2022-38181, multiple vendors including Pixel, Samsung, Xiaomi, Oppo and others failed to implement the patch, resulting in a situation where attackers been able to freely exploit the bug for several months,” Clément Lecigne of Google TAG said.

Second round of attacks against Samsung users

A second campaign was spotted in December 2022 after Google TAG researchers discovered an exploit chain targeting up-to-date versions of the Samsung internet browser using multiple 0 and n days.

Targets in the United Arab Emirates (UAE) were redirected to exploit pages identical to those created by mercenary spyware vendor Variston for its Heliconia exploit framework and targeting a long list of flaws, including:

• CVE-2022-4262 – Chrome Type Confusion Vulnerability (Zero day at time of exploitation)
• CVE-2022-3038 – Chrome sandbox exhaust
• CVE-2022-22706 – Mali GPU Kernel Driver vulnerability providing system access and patched Jan 2022 (unresolved in Samsung firmware at time of attacks)
• CVE-2023-0266 – Linux kernel audio subsystem race condition vulnerability that grants kernel read and write access (zero day at time of exploitation)
• The exploit chain also used several kernel information leaks when exploiting CVE-2022-22706 and CVE-2023-0266.

Ultimately, the exploit chain successfully deployed a C++-based spyware suite for Android, with libraries designed to decrypt and extract data from numerous chat and browser apps.

Both campaigns were highly targeted, and attackers “took advantage of the large time gap between the release of the patch and when it was fully rolled out to end-user devices,” Lecigne said.

“These campaigns may also indicate that exploits and techniques are being shared among surveillance vendors, allowing the proliferation of dangerous hacking tools.”

The discovery of these chains of exploitation was prompted by findings shared by Amnesty International’s Security Lab which also published information regarding the domains and infrastructure used in the attacks.

“The newly discovered spyware campaign has been active for at least 2020 and targets mobile and desktop devices, including users of Google’s Android operating system,” Amnesty International said. added in a separate report today.

“The spyware and zero-day exploits were delivered from a large network of over 1,000 malicious domains, including domains spoofing media websites in multiple countries.”

Spyware Vendor Tracking Efforts

This is part of an ongoing effort to keep tabs on the mercenary spyware market and track the zero-day vulnerabilities they exploit to install their tools on the vulnerable devices of human rights defenders and political activists. , journalists, politicians and other senior officials. risky users worldwide.

Google said as of May 2022, that it actively tracks more than 30 vendors with varying levels of public exposure and sophistication known to sell surveillance capabilities or exploits to government-sponsored threat actors around the world.

In November 2022, Google TAG researchers revealed that it linked an exploit framework known as Heliconia and targeting vulnerabilities in Chrome, Firefox and Microsoft Defender to Spanish software company Variston IT.

In June 2022, some Internet Service Providers (ISPs) helped Italian spyware provider RCS Labs to infect devices of Android and iOS users in Italy and Kazakhstan with commercial surveillance tools, according to Google.

A month earlier, another surveillance campaign was revealed by Google TAG, where state-sponsored attackers exploited five zero days to install the Predator spyware developed by Cytrox.

Update March 29 at 10:12 a.m. EDT: Added more information from Amnesty International report.