



Google’s Threat Analysis Group on Wednesday revealed two “limited and highly targeted” spyware campaigns. The campaign used zero-day vulnerabilities and known but unpatched security holes to undermine the protection of Android and Apple iOS devices, as well as Google’s Chrome browser.

The company did not disclose which spyware vendors were involved, but one of the campaigns used a link that directed targets to the same landing page that Google disclosed from Spanish spyware company Variston IT in November 2022. He said that he was According to researchers, whoever was behind the latest campaign could be a customer or partner of Variston.

The spyware came to light just days after the US government issued an executive order banning federal agencies from using commercial spyware that poses a national security risk. A senior Biden administration official told Cyber ​​Scoop on Monday that spyware was suspected of being found or used on devices associated with his 50 US personnel in 10 countries.

Google’s report did not identify the number of victims targeted by this campaign, any other details about the victims, or the broader context of the campaign itself.

“These campaigns are a reminder that the commercial spyware industry continues to thrive,” said the researchers. “Even small surveillance vendors have access to 0-day. Vendors that secretly stockpile and use 0-day vulnerabilities pose a significant risk to the Internet. It could also indicate that it is shared between surveillance vendors, enabling the spread of dangerous hacking tools.”

Google says it tracks more than 30 vendors “with varying levels of sophistication and public exposure to sell exploits and monitoring capabilities to government-sponsored attackers.” “These vendors enable the proliferation of dangerous hacking tools and arm governments that are unable to develop these capabilities in-house. The use of surveillance technology may be legal under national or international law. However, it is often used by governments to target dissidents, journalists, human rights activists, and opposition politicians.”

The first campaign Google revealed on Google was discovered in November 2022 and included an exploit targeting Android and iOS devices delivered to targets in Italy, Malaysia and Kazakhstan via link shortening service Bitly. I was. When the target clicked on the link, they were redirected to a page hosting the Android or iOS exploit, and then to his legitimate websites, including a shipment tracking page and a popular Malaysian news website. the researcher writes.

The iOS targets in this campaign used a post-patch zero-day exploit and two other known exploits. One of these exploits used techniques used by spyware company Cytrox as part of the Predator spyware. This was revealed in his December 2021 blog post for Toronto-based digital rights group Citizen Lab. Apple issued his March 2022 fix for this bug. Its Android target also relied on one zero-day bug and two known vulnerabilities.

Google researchers discovered a second campaign using one-time links targeting devices in the United Arab Emirates in December 2022. This campaign directed users to the same landing page related to his Heliconia framework developed by Variston IT. The framework was revealed in November 2022 when an anonymous user uploaded his Variston source code related to three different vulnerabilities to Google’s Chrome bug reporting program.

According to Amnesty International’s Security Lab, the campaign has been active since at least 2020 and targeted mobile and desktop services. The attack was delivered from a network of over 1,000 malicious domains, Amnesty said, noting that additional activity related to this campaign was observed in Indonesia, Belarus, Italy, and targeted the UAE. .

The Amnesty team has shared details and technical metrics related to the campaign, including domains, on GitHub.

“In the wake of the Pegasus Project, which revealed that spyware was being used to target journalists, human rights defenders, and politicians around the world, there has been an international push against the development, use, transfer, and sale of spyware technology. A moratorium is urgently needed until a global legal framework is put in place to prevent these abuses and protect human rights in the digital age,” Amnesty International Security Lab said in a statement. Stated.

Spyware discovered in December included a library for decrypting and retrieving data from various chat and browser applications, according to Google researchers.

“The recovered exploit chain TAG was delivered to the latest version of Samsung’s browser running on Chromium 102 and does not contain recent mitigations,” the researchers wrote. “If they had been introduced, attackers would have needed additional vulnerabilities to circumvent the mitigations.”

Update March 29, 2023: This story has been updated to include a reference and comment to the Amnesty International security lab that worked with Google to identify one of the campaigns.

