Google's Threat Analysis Group (TAG) has stated that commercial spyware vendors have taken advantage of the zero-day vulnerabilities that were resolved in the previous year to attack Android and iOS devices.
Two separate efforts were carried out, which were focused and restricted in scope. They made use of the time between when a fix became available and when it was put into use on specific devices. The extent of these campaigns and the individuals or groups being targeted are presently unclear.
However, the size of both operations and the specific objectives remain unclear at present.
In a recent report, Clement Lecigne from TAG stated that these vendors are facilitating the spread of perilous hacking tools, which are being used by governments who lack the ability to create such capabilities themselves.
Although the use of surveillance technologies may be permissible according to national or international laws, authorities often employ these tools to specifically monitor and track individuals who speak out against the government, journalists who report on sensitive issues, activists focused on protecting human rights, and politicians aligned with opposition parties.
In November 2022, the initial of the two actions was carried out which comprised dispatching condensed links through SMS to recipients residing in Italy, Malaysia, and Kazakhstan.
After clicking the URLs, the recipients were led to web pages containing dangerous software targeting Android or iOS devices, after which they were directed to authentic news or package-tracking sites.
Multiple software vulnerabilities were utilized in the iOS exploit chain, which included exploiting a zero-day vulnerability known as CVE-2022-42856, as well as CVE-2021-30900 and bypassing a pointer authentication code (PAC). These exploits enabled the installation of an .IPA file onto vulnerable devices.
The Android attack utilized three distinct exploits, namely CVE-2022-3723, CVE-2022-4135 (which was initially undiscovered), and CVE-2022-38181. These exploits were utilized in combination to deliver an undisclosed payload.
In August 2022, Arm fixed a privilege escalation flaw called CVE-2022-38181 in their Mali GPU Kernel Driver. However, it is uncertain whether the attacker had access to an exploit for the flaw before the patch was released.
It is worth mentioning that when Android users accessed the link using Samsung Internet Browser, they were redirected to Chrome through a process called intent redirection.
During December 2022, a second attack was carried out that aimed at the newest version of Samsung Internet Browser. This campaign utilized various zero-day and n-day vulnerabilities, with the attacks being delivered to mobile devices located in the U.A.E. via SMS as one-time links.
A website similar to the ones utilized by Spanish software company Variston IT ended up installing a harmful toolkit based on C that could collect information from chat and browser platforms.
The vulnerabilities that were taken advantage of include CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, and CVE-2023-26083. It is thought that a Variston IT customer or partner utilized the chain of exploits.
Amnesty International issued a joint report detailing that the hacking campaign which occurred in December 2022 was of high technical sophistication. The report also revealed that the exploit was created by a commercial cyber surveillance firm and marketed to government hackers for the purpose of executing spyware attacks aimed at particular targets.
of fake websites and were designed to gain access to sensitive data on the targeted devices. The spyware campaign was identified by the international non-governmental organization and it has been determined that it has been in operation for at least a year, targeting both mobile and desktop devices, including those using Google's Android operating system. The spyware utilized zero-day exploits which were delivered from an extensive network of counterfeit websites in order to gain access to confidential information stored on the compromised devices. There are over one thousand harmful domains that are pretending to be media websites in various countries.
At present, it is unclear what the size of the two campaigns and the characteristics of their objectives are.
The recent disclosure occurred a few days after the American administration issued an order prohibiting federal organizations from utilizing spyware that poses a threat to national security, which is commercial in nature.
According to Lecigne, these campaigns serve as a reminder that the commercial spyware industry is still flourishing. He adds that even smaller surveillance companies have the ability to obtain zero-day vulnerabilities, and those who stockpile and use them discreetly pose a significant threat to the internet.
These campaigns could potentially suggest that dangerous hacking tools are spreading as surveillance vendors share their exploits and techniques with one another.