Corrected Article Text:
Analysts from the Google Threat Analysis Group (TAG) reported the discovery of multiple exploit chains that use 0-day and n-day vulnerabilities in Android, iOS, and mobile versions of the Chrome browser to install commercial spyware and malicious applications on victims’ devices. The attackers used over 1,000 malicious domains, including domains that imitate media sites from various countries.
In the first campaign, which was discovered in November 2022, the attackers sent SMS messages with shortened bit.ly links to Android and Apple devices. When victims clicked on these links, they were first taken to a page that installed spyware on their device, and then redirected to either the legitimate site of the Italian transport and logistics company BRT or a popular Malaysian news site.
The attack against iOS exploited the iOS WebKit remote code execution problem (CVE-2022-42856, then 0-day) and the sandbox escape bug (CVE-2021-30900). On compromised Apple devices, the attackers delivered a payload that allowed them to track the location of victims and install .IPA files.
The same campaign against ARM GPU Android devices exploited CVE-2022-3723 (Chrome type confusion error discovered by Avast researchers, which Google patched in October 2022), CVE-2022-4135 (Sandbox escape, another 0-day), and CVE-2022-38181 (privilege escalation). These vulnerabilities were fixed in August and November 2022. However, several vendors, including Pixel, Samsung, Xiaomi, and Oppo, did not include the fix in their updates, leaving attackers free to exploit the bug for months.
In December 2022, Google TAG researchers identified a second malware campaign that targeted the latest versions of the Samsung browser using multiple 0-day and n-day issues. Victims from the UAE were redirected to pages with exploits identical to those previously created by spyware vendor Variston IT for their own Heliconia exploit framework. These pages targeted a long list of vulnerabilities, including CVE-2022-4262 (type confusion vulnerability in Chrome, 0-day at the time of exploitation), CVE-2022-3038 (Chrome sandbox escape), CVE-2022-22706 (Mali GPU driver vulnerability fixed in January 2022, not fixed in Samsung firmware at the time of the attacks), CVE-2023-0266 (Linux Kernel Audio Race Condition, 0-day at time of exploitation), and multiple kernel information leaks. As a result, a set of Android spyware written in C++ was deployed on the targets’ devices, designed to decrypt and extract data from numerous instant messengers and browser applications.
Both campaigns were targeted, and experts emphasize that in these cases, the attackers “took advantage of the large time window that formed between the release of the patch and its full deployment on end-user devices”.