Google TAG Exposes Exploit Chains Used to Install Commercial Spyware

March 29, 2023

Google's Threat Analysis Group (TAG) has shared information about two distinct, highly targeted campaigns that employed multiple zero-day and n-day exploits against Android, iOS, and Chrome devices. These exploit chains were used to install commercial spyware and malicious apps on victims' devices.

The first campaign, detected in November 2022, affected Android and iOS devices and was delivered through bit.ly links sent via SMS to users in Italy, Malaysia, and Kazakhstan. The links redirected targets to pages hosting exploits for Android or iOS before sending them to legitimate websites. The initial landing page contained exploits for a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) issue. The final payload for this campaign was a simple stager that sent back the GPS location of the device and allowed the installation of an .IPA file (iOS application archive) onto the affected device. The Android exploit chain in the first campaign targeted users on phones with an ARM GPU running Chrome versions prior to 106, and included one 0-day. Google TAG stated, "We were unable to obtain the final payload for this exploit chain." When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bug's exploitation.

The second campaign, discovered in December 2022, targeted the latest version of the Samsung Internet Browser using multiple zero-days and n-days. Victims in the United Arab Emirates (UAE) were targeted by Variston commercial spyware. Attackers sent one-time links via SMS to targets' devices, which directed users to a landing page that matched the Heliconia framework developed by Variston. The exploit chain delivered a fully featured Android spyware suite written in C++ that could steal data from various chat and browser applications. The threat actor behind this campaign could be a customer or partner of Variston or a third-party working closely with the spyware vendor. The exploit chain included the following 0-days and n-days: CVE-2021-30900, CVE-2022-38181, and CVE-2022-42856. Google TAG shared indicators of compromise (IoCs) for both campaigns.

The report concluded, "These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet." It also highlighted the possibility that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools. Google TAG remains committed to updating the community and taking steps to protect users as they uncover such campaigns.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.