Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

March 29, 2023Rabbi LakshmananZero-day/mobile security

Google’s Threat Analysis Group (TAG) has revealed that a number of zero-day vulnerabilities addressed last year were exploited by commercial spyware vendors to target Android and iOS devices.

Two different campaigns were limited and targeted, taking advantage of the patch gap between the release of the fix and its actual deployment to the targeted devices.

“These vendors enable the proliferation of dangerous hacking tools, arming governments that cannot develop these capabilities in-house,” said TAG’s Clement Lecigne. Said in a new report.

“While the use of surveillance technology may be legal under national or international law, it can be used by governments to target dissidents, journalists, human rights activists and opposition politicians. There are often.”

The first of the two operations took place in November 2022 and involved sending shortened links in SMS messages to users located in Italy, Malaysia and Kazakhstan.

Upon clicking the URL, the recipient was redirected to a web page hosting an Android or iOS exploit, and then redirected again to a legitimate news or shipment tracking website.

The iOS exploit chain was CVE-2022-42856 (zero-day at the time), CVE-2021-30900and Pointer Authentication Code (PAC) bypassto install .IPA file For susceptible devices.

The Android exploit chain is CVE-2022-3723, CVE-2022-4135 (zero-day during exploitation), and CVE-2022-38181 – To deliver unspecified payloads.

CVE-2022-38181 is a privilege escalation bug affecting the Mali GPU kernel driver and was patched by Arm in August 2022, although attackers had already exploited this flaw before the patch was released. I don’t know if he owned it.

Another thing to note is that Android users who clicked the link and opened it in Samsung Internet Browser were redirected to Chrome using a method called. Intent redirect.

A second campaign observed in December 2022 consisted of multiple zero-day and n-days targeting the latest version of the Samsung Internet Browser, with exploits linked once via SMS to devices located in the UAE. was delivered as

The webpage is similar to one used by Spanish spyware company Variston IT, which ended up embedding a C++-based malicious toolkit capable of gathering data from chat and browser applications. .

The exploited flaw constitutes CVE-2022-4262. CVE-2022-3038, CVE-2022-22706, CVE-2023-0266and CVE-2023-26083The exploit chain is believed to have been used by a customer or partner of Variston IT.

However, the scale and target nature of the two campaigns are unknown at this time.

This fact comes just days after the US government issued an executive order limiting the use of commercial spyware that poses a national security risk to federal agencies.

“These campaigns are a reminder that the commercial spyware industry continues to thrive,” said Lecigne. “Even small surveillance vendors have access to zero-day vulnerabilities. Vendors that covertly stockpile and use zero-day vulnerabilities pose serious risks to the Internet.”

“These campaigns may also indicate that exploits and techniques are shared among surveillance vendors, enabling the spread of dangerous hacking tools.”