Google’s Threat Analysis Group on Wednesday revealed two “limited and highly targeted” spyware campaigns that took advantage of zero-day vulnerabilities as well as known but unpatched security holes to undermine protections on Android and Apple iOS devices as well as Google’s Chrome browser.
The company did not reveal the spyware vendors involved, but said one of the campaigns used a link directing targets to a landing page identical to one Google revealed in November 2022 from Spanish spyware firm Variston IT. Whoever was behind the most recent campaign, the researchers said, could be a Variston customer or partner.
The spyware revelations come just days after the U.S. government announced an executive order barring federal agencies from using commercial spyware that presents a national security risk. A senior Biden administration official on Monday told CyberScoop that spyware had been found on — or suspected to be on — devices associated with 50 U.S. personnel across 10 countries.
Google’s report did not identify the number of victims targeted in this campaign or any other details about them or the broader context of campaigns themselves.
“These campaigns are a reminder that the commercial spyware industry continues to thrive,” the researchers said. “Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret poses a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools.”
Google says it’s tracking more than 30 such vendors “with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors,” the researchers said. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.”
The first campaign that Google revealed on Google was discovered in November 2022 and involved exploits targeting Android and iOS devices delivered to targets in Italy, Malaysia and Kazakhstan via the link-shortening service Bitly. If the target clicked the link, it redirected them to pages hosting exploits for either Android or iOS, and then on to legitimate websites such as a page to track shipments or a popular Malaysian news website, the researchers wrote.
That campaign’s iOS targeting used a since-patched zero-day exploit as well as two other known exploits. One of those exploits used a technique used by spyware firm Cytrox as part of its Predator spyware, which was revealed in a December 2021 blog post from the Toronto-based digital rights group Citizen Lab. Apple issued a fix for the bug in March 2022. Its Android targeting also relied on one zero-day bugs as well as two known vulnerabilities.
Google researchers discovered the second campaign in December 2022 using one-time links targeting devices in the United Arab Emirates. That campaign directed users to the same landing page associated with the Heliconia framework, developed by Variston IT. The framework was revealed in November 2022 when an anonymous user uploaded Variston source code related to three distinct vulnerabilities to Google’s Chrome bug reporting program.
The campaign had been active since at least 2020 and targeted mobile and desktop services, according to Amnesty International’s Security Lab, which flagged aspects of the campaign and shared details with Google. The exploits were delivered from a network of more than 1,000 malicious domains, Amnesty said, noting that additional activity related to the campaign was identified in Indonesia, Belarus, Italy along with the targeting in the UAE.
The Amnesty team shared details and technical indicators related to the campaign, including the domains, on GitHub.
“In the wake of the Pegasus Project, which revealed that spyware had been used to target journalists, human rights defenders and politicians around the world, there is an urgent need for an international moratorium on the development, use, transfer and sale of spyware technologies until there is a global legal framework in place to prevent these abuses and protect human rights in the digital age,” Amnesty International Security Lab said in a statement.
The spyware discovered in December included libraries for decrypting and capturing data from various chat and browser applications, the Google researchers said.
“The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations,” the researchers wrote. “If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations.”
Updated March 29, 2023: This story has been updated to include reference to and commentary from Amnesty International’s Security Lab, which worked with Google to identify one of the campaigns.