Google TAG shares details about exploit chains used to install commercial spyware

Google’s Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware.

Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind the attacks used both zero-day and n-day exploits in their exploits.

The exploit chains were used to install commercial spyware and malicious apps on targets’ devices.

The first campaign was spotted in November 2022, the exploit chains discovered by TAG researchers were affecting Android and iOS and were delivered via bit.ly links sent over SMS to users. The campaign aimed at users in Italy, Malaysia, and Kazakhstan. Once clicked the links, targets are initially redirected to pages hosting exploits for either Android or iOS, then redirected to legitimate websites (e.g. Italian-based shipment and logistics company BRT, or a popular Malaysian news website).

The initial landing page was observed hosting the exploits for a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) issue.

In this campaign, the final payload was a simple stager that pings back the GPS location of the device and allows to install an .IPA file (iOS application archive) onto the affected device.

The Android exploit chain in the first campaign targeted users on phones with an ARM GPU running Chrome versions prior to 106. The exploit chain consisted of three exploits, including one 0-day:

• CVE-2022-3723, a type confusion vulnerability in Chrome, found by Avast in the wild and fixed in October 2022 in version 107.0.5304.87.
• CVE-2022-4135, a Chrome GPU sandbox bypass only affecting Android (0-day at time of exploitation), fixed in November 2022. Sergei Glazunov from Project Zero helped analyze the exploit and wrote a root cause analysis for this bug.
• CVE-2022-38181, a privilege escalation bug fixed by ARM in August 2022. It is unclear if attackers had an exploit for this vulnerability before it was reported to ARM.

“We were unable to obtain the final payload for this exploit chain.” reads the post published Google TAG. “When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bugs exploitation. This was recently highlighted by blog posts from Project Zero and Github Security Lab.”

The second campaign was spotted in December 2022 when the researchers discovered an exploit chain targeting the latest version of the Samsung Internet Browser using multiple zero-days and n-days.

The victims of the attack were people in the United Arab Emirates (UAE) that were targeted by Variston commercial spyware. The attackers used one-time links sent via SMS to targets’ devices.

The link directed users to a landing page that is the same TAG examined in the Heliconia framework developed by Variston. The exploit chain delivered a fully featured Android spyware suite written in C++ that was able to steal data from various chat and browser applications. Experts believe that the threat actor could be a customer or partner of Variston, or a third-party working closely with the spyware vendor.

The exploit chain included the following 0-days and n-days:

• CVE-2022-4262, a type confusion vulnerability in Chrome fixed in December 2022 (0-day at time of exploitation) – similar to CVE-2022-1134.
• CVE-2022-3038, a sandbox escape in Chrome fixed in August 2022, in version 105 and found by Sergei Glazunov in June 2022.
• CVE-2022-22706, a vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022 and marked as being used in the wild. At the time of delivery, the latest Samsung firmware had not included a fix for this vulnerability. This vulnerability grants the attacker system access.
• CVE-2023-0266, a race condition vulnerability in the Linux kernel sound subsystem reachable from the system user and that gives the attacker kernel read and write access (0-day at time of exploitation).

Google TAG shared indicators of compromise (IoCs) for both campaigns.

“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet.” concludes the report. “These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools. We remain committed to updating the community, and taking steps to protect users, as we uncover these campaigns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, exploit chains)