Google’s Threat Analysis Group has identified spyware campaigns targeting Android and iOS users worldwide, exploiting zero-day vulnerabilities.
Zero-day flaws are software bugs that are unknown by the vendor or not fixed at the time of their exploitation by bad actors.
Google says the attacks it discovered appear to be government-backed, deploying commercial spyware products sold to countries supposedly to help in law enforcement investigations.
Google’s TAG team tracks over 30 vendors of commercial spyware, monitoring their capabilities and trying to stay ahead by pushing security fixes for its products while also informing other impacted tech vendors.
The first campaign described in the TAG report, dubbed “Your missed parcel,” started in November 2022, targeting Android and iOS zero-day flaws.
The attack started with an SMS sent to the targets, which contained links shortened with the bit.ly service. The links took the victims to pages that exploited flaws to infect their devices with GPS-tracking spyware and then redirected them to legitimate websites.
In the iOS case, the exploit chain targeted versions before iOS 15.1 using the following bugs:
- CVE-2022-42856: A WebKit remote code execution exploiting a type confusion issue within the JIT compiler (0-day at the time of exploitation).
- CVE-2021-30900: A sandbox escape and privilege escalation bug in AGXAccelerator, fixed by Apple in iOS 15.1.
In Android, the exploit chain required the presence of ARM GPUs and Chrome versions before 106. The exploited bugs in this case were:
- CVE-2022-3723: A type confusion vulnerability in Chrome, found by Avast in the wild and fixed in October 2022 in version 107.0.5304.87.
- CVE-2022-4135: A Chrome GPU sandbox bypass only affecting Android (0-day at the time of exploitation), fixed in November 2022.
- CVE-2022-38181: A privilege escalation bug fixed by ARM in August 2022.
The threat actors have even used “Intent Redirection” to redirect users of Samsung Internet Browser to Chrome to ensure the attack will work on Samsung devices too.
The second campaign presented by TAG was discovered in December 2022, but it has been underway since 2020. It targeted Samsung users in the United Arab Emirates.
The attack started with an SMS sent to the targets containing links to pages that dropped an Android spyware suite created by Variston on the device.
The flaws in the exploit chain targeted the then-latest version of Samsung’s browser, which was based on Chromium 102, an older version that didn’t include the latest security fixes. Hence, the exploit chain consists of both zero days and known flaws that were recently patched at the time.
- CVE-2022-4262: A type confusion vulnerability in Chrome fixed in December 2022 (0-day at the time of exploitation), similar to CVE-2022-1134.
- CVE-2022-3038: A sandbox escape in Chrome fixed in August 2022, in version 105, found by Sergei Glazunov in June 2022.
- CVE-2022-22706: A vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022, marked as being used in the wild. The latest Samsung firmware had not included a fix for this vulnerability at the time of delivery, granting the attacker system access.
- CVE-2023-0266: A race condition vulnerability in the Linux kernel sound subsystem reachable from the system user, giving the attacker kernel read and write access (0-day at the time of exploitation).
In the cases of CVE-2022-22706 and CVE-2023-0266, the exploit chain also leveraged multiple kernel information leak problems, which Google reported to ARM and Samsung.
Spyware Is Rampant
Despite Google’s efforts to put a break in government-sponsored spyware infections, there are just too many vendors of mercenary spyware paying security researchers ridiculous amounts of money to discover flaws in that targeted systems and supply them privately.
Amnesty International, whose Security Lab team discovered the second campaign highlighted in Google’s report and notified the tech giant about it, expresses concern about the magnitude of the problem.
“While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis,” comments Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab.
The only way to minimize the chances of spyware infection is to apply the available security updates on your devices as soon as they become available. If you’re using an old and unsupported device, switching to a new model that receives regular security updates is recommended.