Spyware campaigns using zero-days found in Italy, Malaysia, Kazakhstan, UAE

Two targeted spyware campaigns involving several zero-day exploits for Android, iOS and mobile versions of the Chrome browser were unmasked by researchers from Google on Wednesday.

One campaign targeted people in Italy, Malaysia and Kazakhstan, while the other operated in the United Arab Emirates (UAE), the researchers said.

Google called the campaigns “distinct, limited and highly targeted.” The company did not specify the source of the spyware in either case, but said the incidents speak to the size of the marketplace for surveillance tools.

“These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to zero-days, and vendors stockpiling and using zero-day vulnerabilities in secret poses a severe risk to the Internet,” Google’s Threat Analysis Group (TAG) said in a blog post.

The company did not respond to a list of questions about what governments or threat groups might be involved, who the victims were or how many people were affected. Both campaigns were discovered in late 2022.

Many of the bugs exploited by the spyware were unknown to security researchers until the second half of 2022, meaning companies had “zero days” to patch them before hackers started leveraging them. The vulnerabilities in Android, Apple’s iOS and Chrome have since been fixed, Google said.

“These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools,” the researchers said. “We remain committed to updating the community, and taking steps to protect users, as we uncover these campaigns.”

November campaign

In a campaign identified in November 2022, the hackers installed a tool that allowed them to track the location of devices in Italy, Malaysia and Kazakhstan. The TAG researchers found that hackers delivered the spyware to Android and Apple devices through bit.ly links sent over SMS.

When victims clicked on the links, they were taken to a webpage that installed spyware for either brand of device and then redirected to either the “track shipments” page for Italian-based shipment and logistics company BRT or a popular Malaysian news website.

For victims using Apple devices, the malware exploited the bug CVE-2022-42856, which has since been patched but was unknown at the time. The attacks targeted users with iOS versions prior to 15.1. The hackers also targeted CVE-2021-30900, another vulnerability fixed by Apple in 15.1.

Victims using Android devices were targeted through three different exploits that included one zero-day. The hackers used CVE-2022-3723 — a bug discovered by researchers at Avast that Google fixed in October 2022 — alongside two other vulnerabilities: CVE-2022-4135 and CVE-2022-38181.

CVE-2022-4135 was a zero-day affecting Android devices that was fixed in November 2022 and CVE-2022-38181 was an issue affecting products from British semiconductor and software design company ARM.

ARM patched the issue in August 2022 but Google TAG researchers are unsure if the attackers had an exploit for the vulnerability before the bug was reported to ARM.

“When ARM released a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo and others, did not incorporate the patch, resulting in a situation where attackers were able to freely exploit the bug for several months,” they said, adding that the issue was recently highlighted by blog posts from Project Zero and Github Security Lab.

United Arab Emirates victims

The goal of the second campaign, uncovered in December 2022, was the installation of a spyware suite that allowed hackers to decrypt data and steal information from a variety of chat services and browser applications, the researchers said. It targeted devices being used in the United Arab Emirates (UAE) and involved multiple zero-days targeting the latest version of Samsung Internet Browser.

Like the other campaign, this one targeted people with text messages, the researchers said. The link took victims to a landing page that was identical to one identified in a previous Google report on Spanish commercial spyware vendor Variston.

“The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor,” the researchers said.

The hackers took advantage of four vulnerabilities: CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 and CVE-2023-0266. All four have since been patched.

In the blog post, Google said it reported all of the bugs to Apple, Samsung, ARM and the other vendors affected, all of which quickly responded. Google credited Amnesty International’s Security Lab for helping uncover the campaign in the UAE.

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” said Donncha Ó Cearbhaill, head of the Security Lab.

The human rights group is calling for “a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists,” Ó Cearbhaill said. Google also noted that the campaigns highlighted the importance of patching because many of the victims would not have been susceptible to the exploit chains “if they were running a fully updated device.”

Dangerous development

The blog is part of a larger effort by Google to identify and spotlight commercial surveillance vendors who are now making millions disseminating vulnerabilities and sophisticated hacking tools “historically only used by governments with the technical expertise to develop and operationalize exploits.”

The tech giant warned that the sharing of exploits and techniques is a dangerous development considering they are typically “used by governments to target dissidents, journalists, human rights workers and opposition party politicians.”

“The zero-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices,” the researchers explained.

“Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house.”

On Monday, U.S. President Joe Biden signed an executive order that bans federal agencies from using commercial spyware that could pose security risks to the U.S. or already has been misused by foreign actors.

The action was meant to address a growing number of incidents of spyware abuse abroad as well as reports of it being used improperly to target U.S. officials, government systems and ordinary citizens.