Google’s Threat Analysis Group (TAG) reported that multiple zero-day vulnerabilities, which were patched in the previous year, were utilized by commercial spyware vendors to attack Android and iOS devices.
Google’s security researchers have detailed the zero-day and n-day vulnerabilities exploited in what they described as two different highly targeted campaigns. The internet giant has been tracking more than 30 spyware vendors that provide exploits and surveillance solutions to governments. For many of the zero-days, no information was available until now on the attacks exploiting them.
In one of the campaigns, an attack started with a link being sent to the targeted user via SMS. The iOS exploit chain involved CVE-2022-42856, a WebKit vulnerability that Apple patched in iPhones in December 2022, as well as a Pointer Authentication (PAC) bypass technique, and an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability that Apple patched in iOS in 2021. The Android exploit chain targeted CVE-2022-3723, a Chrome zero-day fixed by Google in October 2022, as well as CVE-2022-4135, a Chrome flaw that Google patched in November 2022, and CVE-2022-38181, an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones.
The second campaign, discovered in December 2022, targeted Samsung Internet Browser by chaining various zero-day and n-day vulnerabilities. The exploits were delivered as links sent via SMS. The attacks were aimed at users in the United Arab Emirates and the goal was the delivery of full-featured Android spyware. The list of exploits included CVE-2022-4262, a Chrome zero-day fixed by Google in December 2022, and CVE-2022-3038, a Chrome sandbox escape, as well as CVE-2022-22706, a Mali GPU kernel driver issue fixed by Arm in January 2022, and CVE-2023-0266, a Linux kernel sound subsystem flaw.
Google has made available indicators of compromise (IoCs) that can be used to detect these attacks. Google believes the attack was carried out by a customer or partner of Variston, a Spanish commercial spyware vendor.
This report serves as an important reminder of the threats posed by commercial spyware, and the need for vigilance in keeping up with available security patches. It also highlights the importance of being aware of the dangers of clicking on suspicious links, as this is often the first step in a targeted attack.
Key Points:
- Google’s Threat Analysis Group (TAG) reported that several zero-day vulnerabilities had been exploited by commercial spyware vendors to target Android and iOS devices.
- The two campaigns involved the delivery of malicious links to targeted users via SMS.
- The exploits involved several Chrome vulnerabilities, as well as Arm Mali GPU, Pointer Authentication (PAC) bypass, and Linux kernel sound subsystem flaws.
- Google believes the attack was carried out by a customer or partner of Variston, a Spanish commercial spyware vendor.
- This report serves as an important reminder of the threats posed by commercial spyware, and the need for vigilance in keeping up with available security patches.