In November 2022, Google revealed the existence of a then-unknown spyware vendor called Variston. Now, Google researchers say they have seen a hacker using his Variston tools in the United Arab Emirates.
In a report published Wednesday, Google’s Threat Analysis Group (TAG) said it had discovered hackers targeting people in the UAE who use Samsung’s native Android browser, a customized version of Chromium. The hacker used a series of vulnerabilities chained together and delivered via his one-time her web link sent to the target in text his messages. According to TAG’s new blog post, two of his four vulnerabilities in the series were zero-days at the time of the attack, weren’t reported to software makers, and were unknown at the time.
When a target clicks on a malicious web link, it is directed to a landing page “identical to one TAG researched in the Heliconia framework developed by commercial spyware vendor Variston.” (Google told TechCrunch that both campaigns used the exact same unique landing page. When exploited, victims were given a “full-featured You have been infected with an Android spyware suite with
“Actors using exploit chains to target users in the UAE may be customers or partners of Variston or work closely with spyware vendors,” the blog post read.
It is unclear who is behind the hacking campaign and who are the victims. A Google spokesperson told TechCrunch that TAG actually observed about 10 malicious web links. Some links redirected him to StackOverflow after exploitation, which may have been the attacker’s test device, he said. TAG said it was not clear who was behind the hacking campaign.
Samsung did not respond to a request for comment.
Ralf Wegener and Ramanan Jayaraman are the founders of Variston, according to Intelligence Online, an online news publication covering the surveillance industry. Neither founder responded to requests for comment. Balliston is headquartered in Barcelona, Spain. Variston acquired Italian zero-day research firm Truel in 2018, according to Italian business registration records.
Google said Wednesday it had discovered hackers were exploiting a zero-day bug in iOS patched in November to remotely plant spyware on users’ devices. Researchers believe the attacker has exploited the security flaw as part of his chain of exploits targeting his iPhone owners running iOS 15.1 and earlier in Italy, Malaysia and Kazakhstan. said to have confirmed.
The vulnerability was discovered in the WebKit browser engine that powers Safari and other apps, and was first discovered and reported by researchers at Google TAG. Apple said he patched the bug in December, at which point the company realized the vulnerability was being actively exploited “against versions of iOS released prior to iOS 15.1.” I confirmed that it was.
Hackers also used a second iOS vulnerability called the PAC bypass technique that was fixed by Apple in March 2022. This is the exact technique used by North Macedonian spyware developer Cytrox to install his Predator spyware, says Google researchers. Citizen Lab previously released a report highlighting the widespread use of Predator spyware by governments.
Google also observed hackers exploiting a chain of three Android bugs targeting devices running ARM-based graphics chips, including one zero-day. According to Google, ARM has released a fix, but several vendors, including Samsung, Xiaomi, Oppo, and Google itself, have not included the patch, resulting in “a bug that attackers have been keeping free for months.” Google says it can now be exploited for
The discovery of these new hacking campaigns “are a reminder that the commercial spyware industry continues to thrive,” Google said. “Even small surveillance vendors have access to zero-days, and any vendor that secretly stockpiles and uses zero-day vulnerabilities poses a serious risk to the Internet.”
“These campaigns may also indicate that exploits and techniques are shared among surveillance vendors, enabling the spread of dangerous hacking tools,” the blog read.
