Saturday, December 2, 2023

Spyware Vendors Exploit 0-Days On Android and iOS Devices

The Threat Analysis Group (TAG) of Google unveiled recently that commercial spyware vendors targeted Android and iOS devices using zero-day vulnerabilities patched last year.

In November 2022, the first campaign was discovered by security analysts targeting iOS and Android users. While in that campaign, it was identified that the attackers used separate exploit chains to hack both platforms.

As far as targeting was concerned, both campaigns had a very distinct and limited target audience base. They exploited the time gap between the release and deployment of a fix to targeted devices.

Governments that couldn’t develop these capabilities in-house are armed with these hacking tools. Depending on the national or international laws in place, it may be legal for surveillance technologies to be used.

Governments often target the following entities through the use of these surveillance tools and technologies:-

  • Dissidents
  • Journalists
  • Human rights workers
  • Opposition party politicians

Campaign #1 & #2

A TAG analysis of bit(.)ly links sent over text messages to users in the following countries in November 2022 identified exploit chains with 0-day exploits affecting Android and iOS platforms:-

  • Italy
  • Malaysia
  • Kazakhstan

All the victims are redirected to the malicious pages containing the exploits for Android or iOS, which happens when users click on the links. After that, certainly, they were redirected to genuine websites.

The genuine websites where the threat actors redirect the users are:-

  • BRT, is an Italian-based shipment and logistics company. 


  • A popular Malaysian news website.

Here below, we have mentioned all the vulnerabilities that the threat actors exploit during these two campaigns:- 

  • CVE-2022-42856: It’s a WebKit remote code execution exploiting a type confusion issue within the JIT compiler (0-day at the time of exploitation).
  • Also exploited the PAC bypass technique, which was fixed in March 2022.
  • CVE-2021-30900: A sandbox escape and privilege escalation bug in AGXAccelerator, fixed by Apple in 15.1.
  • CVE-2022-3723: A confusion vulnerability in Chrome was fixed in October 2022 in version 107.0.5304.87.
  • CVE-2022-4135: It’s a Chrome GPU sandbox bypass only affecting Android (0-day at time of exploitation), fixed in November 2022.
  • CVE-2022-38181: It’s a privilege escalation bug fixed by ARM in August 2022.
  • CVE-2022-4262: A confusion vulnerability in Chrome was fixed in December 2022 (0-day at exploitation time).
  • CVE-2022-3038: It’s a sandbox escape in Chrome fixed in August 2022, in version 105
  • CVE-2022-22706: A vulnerability in Mali GPU Kernel Driver fixed by ARM in January 2022.
  • CVE-2023-0266: It’s a race condition vulnerability in the Linux kernel sound subsystem (0-day at exploitation time).

A C++-based spyware suite for Android was successfully deployed at the end of the exploit chain. It contained libraries developed to decrypt and extract data from various browsers and chat applications.

Amnesty International’s Security Lab shared information about discovering these exploit chains due to its findings.

Related IOCs

Here below, we have mentioned all the related IOCs:-

  • https://cdn.cutlink[.]site/p/uu6ekt – landing page
  • https://api.cutlink[.]site/api/s/N0NBL8/ – Android exploit chain
  • https://api.cutlink[.]site/api/s/3PU970/ – iOS exploit chain
  • https://imjustarandomsite.3utilities[.]com – exploit the delivery server
  • www.sufficeconfigure[.]com – a landing page and exploit delivery
  • www.anglesyen[.]org – malware C2
  • The following Android system properties might indicate signs of exploitation
  • sys.brand.note
  • sys.brand.notes
  • sys.brand.doc
  • The following directory on the phone might indicate signs of infection
  • /data/local/tmp/dropbox

Protection for Users

Google has already reported all these vulnerabilities to the vendors to protect the users. 

If Google doesn’t recognize the quick response and patching of these vulnerabilities by the following companies that need to address them will be remiss:-

  • Chrome team
  • Pixel team
  • Android team
  • Apple team

Patching is one of the most important things that need to be accomplished. However, these exploit chains would not be able to impact a user who had a fully updated device.

As a result of such campaigns, it is important to remember that the commercial spyware market continues to flourish.

0-day vulnerabilities are accessible to even small surveillance vendors. The Internet is at high risk when vendors stockpile and use 0-day vulnerabilities in secret since they pose a serious security risk for users.

Are You a Pentester? – Try Free Automated API Penetration Testing

Also Read:

Iranian APT42 Deploys Custom Android Spyware to Spy on Targets of Interest

24-Year-Old Australian Hacker Arrested For Creating and Selling Spyware

Google Chrome 0-Day Vulnerability Exploited in The Wild To Deploy Spyware

ISPs Helped Hackers to Infect Smartphones with Hermit Spyware

A New zero-click iMessage Exploit Used to Install NSO Group Spyware on iPhones


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles