Spyware Campaigns Exploited Zero-Day iOS and Android FlawsGoogle Identifies 'Highly Targeted' Campaigns in Italy, Malaysia, Kazakhstan & UAE
Google says it spotted two "limited and highly targeted" advanced spyware campaigns using zero-days in the Android and iOS operating systems and vulnerabilities in the Samsung Internet Browser.
The computing giant's Threat Analysis Group says the campaigns may indicate sharing of exploits and techniques between vendors of commercial surveillance. "Even smaller surveillance vendors have access to 0-days," it wrote.
Google actively campaigns against the commercial surveillance industry, and Google Threat Analysis Group head Shane Huntley recently urged the European Union to "lead a diplomatic effort" to limit the harms of advanced spyware apps such as Pegasus.
Backlash against commercial spyware in some European political circles and in the United States has increased even as the industry itself has grown larger. Google estimates more than 30 vendors now exist, putting advanced capabilities into the hands of countries that otherwise would lack the resources to closely surveil dissidents or political opponents. Industry executives have said their products are intended for use in combating crime and terrorism.
The Carnegie Endowment for International Peace calculates that at least 74 governments have bought surveillance tools over the past dozen years. It describes the industry as consisting of top-level vendors such as Pegasus maker NSO Group that depends on suppliers including exploit brokers, hackers and "boutique spyware firms."
U.S. President Joe Biden on Monday signed an executive order limiting federal agencies' ability to buy licenses for commercial surveillance apps (see: US Limits Government Use of Advanced Smartphone Spyware).
The U.S Cybersecurity and Infrastructure Security Agency on Thursday ordered agencies to patch many of the vulnerabilities identified by Google no later than April 20.
Operators of the first campaign identified by Google targeted victims with malicious shortened links sent via SMS to users in Italy, Malaysia and Kazakhstan. When clicked, the links "redirected visitors to pages hosting exploits for either Android or iOS then redirected them to legitimate websites such as the page to track shipments for Italian-based shipment and logistics company BRT or a popular Malaysian news website," Google says.
The second campaign, spotted on devices located in the United Arab Emirates, chained multiple zero-days and n-days to infect the Samsung Browser on Android smartphones. An n-day is a vulnerability that has been recently patched; attackers take advantage of users' lag in applying updates.
The browser runs on Google Chromium but lacks recent security mitigations, Google says. "If they had been in place, the attackers would have needed additional vulnerabilities."
Malicious links directed users to a landing page identical to one previously served by commercial spyware vendor Variston.