Jump to content
  • Google finds more Android, iOS zero-days used to install spyware

    alf9872000

    • 273 views
    • 4 minutes
     Share


    • 273 views
    • 4 minutes

    Google's Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets' devices.

     

    The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022.

     

    They used text messages pushing bit.ly shortened links to redirect the victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan after first sending them to pages triggering exploits abusing a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) bug.

     

    On compromised devices, the threat actors dropped a payload allowing them to track the victims' location and install .IPA files.

     

    In this campaign, an Android exploit chain was also used to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.

     

    "When ARM released a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo and others, did not incorporate the patch, resulting in a situation where attackers were able to freely exploit the bug for several months," Google TAG's Clément Lecigne said.

    Second series of attacks against Samsung users

    A second campaign was spotted in December 2022 after Google TAG researchers found an exploit chain targeting up-to-date Samsung Internet Browser versions using multiple 0-days and n-days.

     

    Targets from United Arab Emirates (UAE) were redirected to exploit pages identical to the ones created by the Variston commercial spyware vendor for its Heliconia exploitation framework and targeting a long list of flaws, including:

     

    • CVE-2022-4262 - Chrome type confusion vulnerability (zero-day at time of exploitation)
    • CVE-2022-3038 - Chrome sandbox escape
    • CVE-2022-22706 - Mali GPU Kernel Driver vulnerability providing system access and patched in January 2022 (not addressed in Samsung firmware at the time of the attacks) 
    • CVE-2023-0266 - Linux kernel sound subsystem race condition vulnerability that gives kernel read and write access (zero-day at time of exploitation)
    • The exploit chain also used multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266.

     

    In the end, the exploit chain successfully deployed a C++-based spyware suite for Android, complete with libraries designed to decrypt and extract data from numerous chat and browser apps.

     

    Both campaigns were highly-targeted and the attackers "took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices," said Lecigne.

     

    "These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools."

    Spyware vendor tracking efforts

    This is part of an ongoing effort to keep an eye on the commercial spyware market and track the zero-day vulnerabilities they're exploiting to install their tools on the vulnerable devices of human rights and political activists, journalists, politicians, and other high-risk users worldwide.

     

    Google said in May 2022 that it was actively tracking more than 30 vendors with variable levels of public exposure and sophistication known to sell surveillance capabilities or exploits to government-sponsored threat actors worldwide.

     

    In November 2022, Google TAG researchers revealed that it had linked an exploit framework known as Heliconia and targeting Chrome, Firefox, and Microsoft Defender vulnerabilities to the Variston IT Spanish software company.

     

    In June 2022, some Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs to infect the devices of Android and iOS users in Italy and Kazakhstan with commercial surveillance tools, according to Google.

     

    One month earlier, another surveillance campaign was brought to light by Google TAG, where state-sponsored attackers exploited five zero-days to install Predator spyware developed by Cytrox.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...