A sophisticated hacking campaign by a mercenary spyware company targeting the Google Android operating system has been exposed by Amnesty Internationals Security Lab.

Technical findings were shared with Google’s Threat Analysis Group, which focuses on countering government-sponsored cyberattacks. As a result, Google along with other affected vendors, including Samsung, were able to release security updates protecting billions of Android, Chrome and Linux users from the exploit techniques used in this attack.

Amnesty International is not naming the company as the Security Lab continues to track and investigate its activity. However, the attack showed all the hallmarks of an advanced spyware campaign developed by a commercial cyber surveillance company and sold to government hackers to carry out targeted spyware attacks.

While it is vital that such vulnerabilities are patched, this is merely a plaster for a global spyware crisis. Donncha Carball, Head of Amnesty International’s Security Lab.

Unscrupulous spyware companies pose a real risk to everyone’s privacy and security. We urge people to ensure they have the latest security updates on their devices, said Donncha Cearbhaill, Head of Amnesty Internationals Security Lab.

While it is vital that such vulnerabilities are patched, this is merely a plaster for a global spyware crisis. We urgently need a global moratorium on the sale, transfer and use of spyware until strong regulatory safeguards for human rights are put in place, otherwise sophisticated cyber attacks will continue to be used as a tool of repression against activists and journalists .

Amnesty International’s Security Lab actively monitors and investigates companies and governments that deploy and abuse cyber-surveillance technologies, which pose a fundamental threat to human rights defenders, journalists and civil society.

On Monday, in an important step to address the spyware crisis, US President Biden signed an executive order restricting governments from using commercial spyware technology that poses a threat to human rights. The move sends a strong message to other governments to take similar action.

Zero day attack

Security Labs’ findings allowed Google, in December 2022, to capture a new zero-day exploit chain used to hack Android devices. Zero-day exploits are particularly dangerous as they allow attackers to compromise even fully patched and updated phones, as the vulnerability is unknown to the developer.

The newly discovered spyware campaign has been active since at least 2020 and targeted mobile and desktop devices, including users of Google’s Android operating system. The spyware and zero-day exploits were delivered by a vast network of more than 1,000 malicious domains, including domains that spoof media websites in many countries.

Amnesty International has published details of the domains and infrastructure it identified as linked to the attack on GitHub to assist civil society in investigating and responding to these attacks.

Google’s Threat Analysis Group found that Android users in the United Arab Emirates were being targeted with one-time attack links sent via SMS, which, if clicked, would install spyware on the target phone. Human rights defenders in the UAE have long been victimized by spyware tools from cyber surveillance companies such as NSO Group and Hacking Team over the past decade, including Ahmed Mansoor, who was targeted with spyware by both companies, and was subsequently jailed by UAE authorities in response to his human rights work.

Amnesty International’s Security Lab identified additional activity related to this spyware campaign in Indonesia, Belarus, the United Arab Emirates and Italy. These countries likely represent only a small subset of the overall attack campaign based on the extensive nature of the broader attack infrastructure.

The Threat Analysis Group was also able to obtain the full Android spyware payload delivered by this attack campaign. The exploit chain used several zero-days and other recently patched vulnerabilities capable of compromising a fully patched Samsung Android device. These vulnerabilities include a zero-day renderer exploit in Chrome, a sandbox escape in Chrome, and a privilege escalation vulnerability in a Mali GPU Kernel Driver. The Mali GPU vulnerability was previously fixed by Arm, but the fix was not included in the latest Samsung firmware available in December 2022. The exploit chain also exploited a zero-day in the Linux kernel to gain root privileges (CVE- 2023-0266 ) on the phone. The final vulnerability would also allow attackers to attack desktop and embedded Linux systems.

Amnesty International continues to work with a growing network of civil society partners to detect and respond to the unique cyber surveillance threats that human rights defenders face. This ongoing support includes the sharing of indicators of compromiseforensic methodologies and the development of criminalistic tools such as Mobile Verification Toolkit (MVT) which can be used by civil society to detect targeted spyware threats.

The numerous abuses uncovered by Amnesty International and civil society partners over the past few years have shown that the spyware industry poses a critical threat to human rights defenders and civil society around the world. The systemic harms of growing and unregulated cyber surveillance extended far beyond the now-infamous Pegasus spyware program developed by NSO Group.

In the wake of Project Pegasus, which revealed that spyware was used to target journalists, human rights defenders and politicians around the world, there is an urgent need for an international moratorium on the development, use, transfer and sale of spyware technologies until there is a global legal framework to prevent these abuses and protect human rights in the digital age.