Google’s Threat Analysis Group (TAG) has revealed that it tracks more than 30 commercial spyware vendors that facilitate the spread of malware by government-sponsored attackers.
TAG’s Clement Lecigne said in a blog post published today that these vendors are arming countries that would otherwise not be able to develop these tools.
“While the use of surveillance technology may be legal under national or international law, it can be used by governments to target dissidents, journalists, human rights activists and opposition politicians. There are often,” Resigne wrote.
In particular, this post describes two highly targeted campaigns leveraging various zero-day exploits against Android, iOS, and Chrome devices.
The first is based on the iOS Remote Code Execution Vulnerability (CVE-2022-42856) and the Chrome Web Browser Heap Buffer Overflow Vulnerability (CVE-2022-4135). The campaign relied on bit.ly links sent in his SMS to potential victims in Italy, Malaysia and Kazakhstan.
On iOS devices, this campaign ends up delivering a payload that pings the device’s GPS location. An attacker can also install an .IPA file (iOS application archive) on the victim’s machine. The attack chain was similar on Android, with the main difference being that the attackers targeted phones with ARM GPUs running versions of her Chrome prior to her 106.
The second campaign observed by TAG was discovered in December 2022. It relied on a complete exploit chain consisting of multiple zero-days and n-days targeting the latest version of the Samsung Internet browser.
Read more about Samsung vulnerabilities here: Google Discloses 18 Zero-Day Vulnerabilities in Samsung Exynos Chips
“This link led users to the same landing page as one TAG investigated in the Heliconia framework developed by commercial spyware vendor Variston,” explained Lecigne. “Exploit Chain eventually delivered his full-featured Android spyware suite written in C++, which includes libraries for decrypting and capturing data from various chat and browser applications. It contains.”
The researcher said the attackers behind this second campaign are targeting users in the UAE and may be customers or partners of Variston or otherwise working closely with them. added that there is
“The recovered exploit chain TAG was delivered to the latest version of Samsung’s browser running on Chromium 102 and does not contain recent mitigations. We would have needed an additional vulnerability to do that,” Lecigne said.
Google confirmed that it had reported these vulnerabilities to the vendor, and the vendor promptly issued patches for all of them.
