Researchers from Google's Threat Analysis Group (TAG) have discovered two separate, highly-targeted campaigns that use various, unpatched zero-day exploits against users of both iPhone and Android smartphones to deploy spyware.

The discoveries — revealed in a blog post on March 29 — are the result of active tracking that Google TAG does of commercial spyware vendors, with more than 30 of them currently on the radar screen, the researchers said. These vendors sell exploits or surveillance capabilities to state-sponsored threat actors, thus "enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house," the researchers wrote. These are often used to target dissidents, journalists, human rights workers, and opposition-party politicians in potentially life-threatening ways, they noted.

The use of surveillance technologies is currently legal under most national or international laws, and governments have abused these laws and technologies to target individuals that don't align with their agendas. However, since this abuse came under international scrutiny due to the revelation of governments abusing NSO Group's Pegasus mobile spyware to target iPhone users, regulators and vendors alike have been cracking down on the production of and use of commercial spyware.

In fact, on March 28, the Biden administration issued an executive order that falls short of an outright ban on spyware, but restricts the use of commercial surveillance tools by the federal government.

Google's findings this week show that those efforts have done little to thwart the commercial-spyware scene, and "underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG researchers wrote in the post.

Specifically, the researchers discovered what they characterize as two "distinct, limited, and highly targeted" campaigns aimed at users of Android, iOS, and Chrome on mobile devices. Both use zero-day exploits and n-day exploits. Regarding the latter, the campaigns take particular advantage of the period of time between when vendors release fixes for vulnerabilities and when the hardware manufacturers actually update end-user devices with those patches, creating exploits for unpatched platforms, the researchers said.

This demonstrates that those creating the exploits are keeping a close eye on vulnerabilities that they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices, according to TAG. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of dangerous hacking tools, the researchers wrote in the post.

The iOS/Android Spyware Campaign

The first campaign that researchers outlined was discovered in November and exploits two vulnerabilities in iOS and three in Android, including at least one zero-day flaw each.

Researchers found initial access attempts that affect both Android and iOS devices that were delivered via bit.ly links sent over SMS to users located in Italy, Malaysia, and Kazakhstan, they said. The links redirected visitors to pages hosting exploits for either Android or iOS, then redirected them to legitimate websites — "such as a page to track shipments for Italian-based shipment and logistics company BRT, or a popular Malaysian news website," researchers wrote in the post.

The iOS exploit chain targeted versions prior to 15.1 and included an exploit for a WebKit remote code execution (RCE) flaw, tracked as CVE-2022-42856, but a zero-day at the time of the exploit. It involves a type confusion issue within the JIT compiler, the exploit used a PAC bypass technique fixed in March 2022 by Apple. The attack also exploited a sandbox escape and privilege escalation bug in AGXAccelerator, tracked as CVE-2021-30900, which was fixed by Apple in iOS 15.1.

The final payload of the iOS campaign was a simple stager that pings back the GPS location of the device and also allows the attacker to install an .IPA file (iOS application archive) onto the affected handset, researchers said. This file can be used to steal information.

The Android exploit chain in the campaign targeted users on devices that use an ARM GPU running Chrome versions prior to 106, the researchers said. There were three vulnerabilities exploited: CVE-2022-3723, a type confusion vulnerability in Chrome that was fixed in last October in version 107.0.5304.87, CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android that was a zero-day when exploited and fixed in November, and CVE-2022-38181, a privilege escalation bug fixed by ARM last August.

The significance of attacking ARM and CVE-2022-38181 in particular is that when the fix for this flaw was initially released, several vendors — including Pixel, Samsung, Xiaomi, and Oppo — did not incorporate the patch, giving attackers several months to freely exploit the bug, researchers said.

Samsung Browser Cyber-Espionage Campaign

Google TAG researchers discovered the second campaign, which includes a complete exploit chain using both zero-days and n-days to target the latest version of Samsung Internet Browser, in December. The browser runs on Chromium 102 and has not been updated to include recent mitigations, which would have required attackers to do additional work to carry out the exploit, the researchers said.

Attackers delivered the exploits in one-time links sent via SMS to devices located in the United Arab Emirates (UAE), the researchers said. The link directed users to a landing page identical to one present in the Heliconia framework developed by commercial spyware vendor Variston, they added.

The payload of the exploit in this case was a C++-based, "fully-featured Android spyware suite" that included libraries for decrypting and capturing data from various chat and browser applications, the researchers wrote. They suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston.

Flaws exploited in the chain were CVE-2022-4262, a type confusion vulnerability in Chrome that was a zero-day at time of exploitation, CVE-2022-3038, a sandbox escape in Chrome fixed in version 105 in June 2022, CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022, and CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem providing kernel read and write access that was a zero-day at the time of exploitation.

"The exploit chain also took advantage of multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266" that Google reported to ARM and Samsung, the researchers wrote.

Limiting Spyware & Protecting Mobile Users

TAG researchers provided a list of indicators of compromise (IoC) to help device users know if they're being targeted by the campaigns. They also stressed how important it is for vendors as well as users to update their mobile devices with the latest patches as quickly as possible after vulnerabilities and/or exploits for them are discovered.

"A big takeaway here would be to use fully updated software on fully updated devices," Google TAG researchers say in response to questions posed by Dark Reading. "In this case, none of the exploit chains described would have worked."