Google: Spyware vendors exploiting iOS, Android zero days
Recent campaigns observed by Google's Threat Analysis Group showed spyware vendors' use of zero days and known vulnerabilities pose an increasing threat.
Spyware vendors are exploiting zero days and known vulnerabilities in Android, iOS and Chrome sparking an increase in "dangerous hacking tools," warned Google's Threat Analysis Group.
In a blog post on Wednesday, Clement Lecigne, security engineer at Google, detailed two recent campaigns that TAG discovered to be "both limited and highly targeted." The campaigns leveraged zero-day exploits alongside known vulnerabilities, or N days, against unpatched devices on widely used platforms.
In addition to emphasizing an ongoing patching problem, Google said the threat activity showed just how prevalent spyware vendors have become and the dangers they present, especially when wielding zero days.
"These campaigns are a reminder that the commercial spyware industry continues to thrive," Lecigne wrote in the blog post.
TAG currently tracks more than 30 commercial surveillance vendors that sell exploits or spyware programs to various governments and nation-state threat groups. While Google acknowledged spyware use may be legal under national or international laws, such tools have historically been used against targets such as government officials, journalists, political dissidents and human rights activists. For example, in 2018 NSO Group's Pegasus spyware was linked to the death of journalist Jamal Khashoggi, who was killed by Saudi government agents in 2018 after being surveilled and tracked via his mobile phone.
While spyware has been used to track high-value targets in the past, Lecigne warned vendors that access to zero days and N days pose an even broader threat.
"Even smaller surveillance vendors have access to 0-days and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the internet," Lecigne wrote. "These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools."
Recent spyware campaigns
In December, TAG observed an exploit chain against Samsung's internet browser that leveraged two zero-days and two N-day vulnerabilities that targeted devices located in the United Arab Emirates. "The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications," Lecigne wrote.
One of the more dangerous known vulnerabilities in the chain, tracked as CVE-2022-22706, is Arm's Mali GPU kernel driver that allowed an attacker to gain system access. Google reported the flaw to ARM in December, which patched the flaw in January. However, Google's report noted at the time of the attacks, Samsung's firmware did not include a fix.
Another known vulnerability in the exploit chain, CVE-2022-3038, was fixed by Google in August, yet targeted devices remained unpatched in December. That was the same issue TAG observed in a November campaign as well that affected Android and iOS users located in Italy, Malaysia and Kazakhstan. The iOS exploit chain leveraged a PAC bypass technique that Apple fixed in March 2022 and a WebKit remote code execution zero day, CVE-2022-42856.
The Android exploits featured one zero-day, CVE-2022-4135, which is a Chrome GPU sandbox bypass flaw that affects Android only and was patched in November 2022.
That chain included two N-day vulnerabilities: a type confusion flaw, tracked as CVE-2022-3723 that was fixed in October, and a privilege escalation vulnerability, CVE-2022-38181, that ARM patched in August. Google said it's unclear if attackers had an exploit for CVE-2022-381818 before it was reported to ARM.
While Google applauded the vendors for their quick responses and patch releases, users were not as up to date.
"These campaigns continue to underscore the importance of patching, as users wouldn't be impacted by these exploit chains if they were running a fully updated device," Lecigne wrote.
Arielle Waldman is a Boston-based reporter covering enterprise security news.