The primary target of this spyware campaign were the unsuspecting users in Italy, Malaysia, and Kazakhstan.
Google’s Threat Analysis Group (TAG) has discovered two highly-targeted mobile spyware campaigns that use zero-day exploits to deploy surveillance software against iPhone and Android smartphone users.
Google TAG discovered two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. The campaigns used zero-day and n-day exploits, taking advantage of the period between when vendors release vulnerability fixes and when hardware manufacturers update end-user devices with those patches, creating exploits for unpatched platforms.
These discoveries highlight the importance of timely software patching by vendors and end-users to prevent malicious actors from exploiting known vulnerabilities. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of potentially dangerous hacking tools.
The first campaign (CVE-2022-42856; CVE-2022-4135) targeted versions of iOS and Android before 15.1 and ARM GPU running Chrome versions before 106, respectively. The payload of the exploit in the first campaign included a simple stager that pinged back the GPS location of the device and allowed the attacker to install an .IPA file onto the affected handset, which can be used to steal information.
The campaign targeted both Android and iOS devices, with initial access attempts delivered via Bit.ly URL shorter links sent over SMS to users located in the following three countries:
The second campaign (CVE-2022-4262; CVE-2023-0266), which included a complete exploit chain using both zero-days and n-days, targeted the latest version of the Samsung Internet browser.
The payload of the exploit in the second campaign was a C -based, “fully-featured Android spyware suite” that included libraries for decrypting and capturing data from various chat and browser applications.
Google researchers suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston, a commercial spyware vendor.
It is worth noting that as reported by Hackread.com last year, Variston is a Barcelona-based company that Google TAG exposed for exploiting n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender while posing as a custom cybersecurity solutions provider.