Google’s Threat Analysis Group (TAG) has revealed two distinct, targeted campaigns that leveraged multiple zero-day exploits against Android, iOS, and Chrome.
In the first campaign, the attackers used bit.ly links to deliver the exploit chains via SMS to targets in Italy, Malaysia, and Kazakhstan.
The initial landing page contained exploits for WebKit remote code execution zero-day (CVE-2022-42856) and sandbox escape (CVE-2021-30900), while the Android exploit chain targeted Chrome versions prior to 106. The final payload was a stager that allowed for the installation of an .IPA file (iOS application archive) and GPS location pinging. Google TAG was unable to obtain the final payload of the Android exploit chain.
Furthermore, the second campaign, discovered in December 2022, targeted people in the UAE using the latest version of the Samsung Internet Browser with one-time links sent via SMS. The exploit chain used multiple zero-days and n-days to deliver a fully featured Android spyware suite written in C++.
The vulnerabilities included a type confusion vulnerability in Chrome (CVE-2022-4262), a sandbox escape in Chrome (CVE-2022-3038), a vulnerability in Mali GPU Kernel Driver (CVE-2022-22706), and a race condition vulnerability in the Linux kernel sound subsystem (CVE-2023-0266). The attackers used the exploit chain to deliver Variston commercial spyware, and experts suggest that the threat actor could be a customer or partner of Variston or a third-party working closely with the spyware vendor.
Both campaigns were limited and highly targeted, with attackers using both zero-day and n-day exploits to install commercial spyware and malicious apps on targets’ devices.
Google TAG has shared indicators of compromise (IoCs) for both campaigns. The first campaign exploited vulnerabilities that were not immediately patched by vendors, while the second campaign took advantage of zero-day vulnerabilities.
These campaigns highlight the importance of timely patching and prompt adoption of vendor fixes to prevent malicious actors from exploiting vulnerabilities in the wild.
