Google’s Threat Analysis Group (TAG) recently discovered several surveillance campaigns by government-backed and nation-state threat groups. These groups utilized exploits or spyware programs sold by more than 30 commercial surveillance vendors. Most of the exploits belong to publicly exposed zero-day and n-day vulnerabilities against Android, iOS, and Chrome.
Notable spyware campaigns
The first campaign—discovered in November 2022—was limited but highly targeted.
Threat actors were sending shortened links over SMSes to users located in Italy, Malaysia, and Kazakhstan.
These links redirected recipients to web pages hosting exploits for either Android or iOS, before redirecting them to legitimate news or shipment-tracking websites.
Campaign targeting Samsung Internet Browser
In December 2022, Google discovered that a different campaign was targeting the latest version of the Samsung Internet Browser, which runs on Chromium 102 and does not include recent mitigations for multiple zero-day and n-day vulnerabilities.
Threat actors were sending one-time links via SMS to devices located in the UAE to exploit CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, CVE-2023-26083, and multiple kernel information leak zero-day flaws.
These links redirected recipients to a landing page identical to the ones created by the commercial spyware vendor Variston for its Heliconia exploitation framework.
Finally, a fully featured C++-based Android spyware suite was delivered that contained libraries for decrypting and capturing data from various chat and browser applications.
Exploit chains
The Android exploit chain affected devices with an ARM GPU running Chrome versions prior to 106 and contained exploits for CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.
The iOS exploit chain targeted versions before 15.1 and contained exploits for CVE-2022-42856, CVE-2021-30900, and CVE-2020-3837.
A simple stager was delivered as a final payload that gives threat actors the ability to steal the GPS location of the device and install an IPA file onto the affected device.
Samsung Internet Browser was abused to redirect users to Chrome using Intent Redirection. The final payload for this exploit chain was unknown.
Wrapping up
The commercial spyware industry is investing extensive efforts into developing and selling new zero-day bugs. Moreover, these are often directly purchased and used by nation-sponsored threat groups, posing a severe risk to organizations and governments across the globe. To stay protected, organizations are suggested to leverage the IOCs shared by Google and other security agencies to strengthen their security posture.