Researchers have identified two separate attack campaigns that have targeted both iOS and Android users with exploits for zero days as well as known vulnerabilities to install commercial spyware tools. The attacks affected victims in Italy, Malaysia, Kazakhstan, and the United Arab Emirates, and bear all the hallmarks of state-sponsored campaigns.
In both campaigns, the unnamed attackers were using exploit chains that included both known vulnerabilities and bugs that were zero days at the time they were used. The first set of attacks included zero days for both iOS and Android and began with attackers sending shortened links to victims via SMS. Victims who clicked on the links were directed to websites that delivered the exploits for whichever operating system they were using. Google’s Threat Analysis Group uncovered this campaign in November 2022 and was able to capture the exploit chain for both iOS and Android.
In the case of iOS, the attacks employed an exploit for CVE-2022-42856, a bug in WebKit that was a zero day at the time of the attacks, as well as an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability. Apple patched the latter bug in iOS 15.1, and the former one in iOS 12.5.7, released in January.
The attacks targeting Android users chained together exploits for three individual vulnerabilities, including a zero day in the Chrome GPU (CVE-2022-4135). The chain also included a second bug in Chrome and one in the ARM Mali GPU kernel driver.
“It’s worth noting users were redirected to Chrome using Intent Redirection if they were coming from a Samsung Internet Browser. In the past, we have seen attackers redirect users from Chrome to Samsung Internet Browser, similar to CVE-2022-2856, but in this case the redirection occurred the other way. We were unable to obtain the final payload for this exploit chain,” Clement Lcigne of Google TAG wrote in a post detailing the campaigns.
“When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bug’s exploitation.”
“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days."
Researchers at Amnesty International’s Security Lab discovered the second campaign targeting Android users and worked with Google’s TAG on the analysis. This campaign exploited several vulnerabilities, including a Chrome zero day (CVE-2022-4262), a Chrome sandbox escape, and a Linux kernel zero day (CVE-2023-0266). This campaign has been active since at least 2020, according to the Amnesty International researchers.
“While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis. We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists,” said Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab.
The end result of each of these campaigns was the installation of a spyware suite that gave the attackers control over the victims’ devices. Neither Google nor Amnesty International is naming the maker of the spyware.
“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools. We remain committed to updating the community, and taking steps to protect users, as we uncover these campaigns,” Google’s Lecigne said.
The revelations by Google and Amnesty International come two days after President Joe Biden signed an executive order outlining a policy on the use of commercial spyware by United States agencies. The order says U.S. agencies “shall not make operational use of commercial spyware that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person”, a policy that essentially prohibits U.S. agencies from using any commercial spyware that has been used against American citizens, which is a long list.