Nation-backed Attackers Increasingly Spying via Zero-Day and n-Day Exploits: Google

Notable spyware campaigns

• Threat actors were sending shortened links over SMSes to users located in Italy, Malaysia, and Kazakhstan.
• These links redirected recipients to web pages hosting exploits for either Android or iOS, before redirecting them to legitimate news or shipment-tracking websites.

Campaign targeting Samsung Internet Browser

• Threat actors were sending one-time links via SMS to devices located in the UAE to exploit CVE-2022-4262, CVE-2022-3038, CVE-2022-22706, CVE-2023-0266, CVE-2023-26083, and multiple kernel information leak zero-day flaws.
• These links redirected recipients to a landing page identical to the ones created by the commercial spyware vendor Variston for its Heliconia exploitation framework.
• Finally, a fully featured C++-based Android spyware suite was delivered that contained libraries for decrypting and capturing data from various chat and browser applications.

Exploit chains

• The Android exploit chain affected devices with an ARM GPU running Chrome versions prior to 106 and contained exploits for CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.
• The iOS exploit chain targeted versions before 15.1 and contained exploits for CVE-2022-42856, CVE-2021-30900, and CVE-2020-3837.
• A simple stager was delivered as a final payload that gives threat actors the ability to steal the GPS location of the device and install an IPA file onto the affected device.
• Samsung Internet Browser was abused to redirect users to Chrome using Intent Redirection. The final payload for this exploit chain was unknown.

Wrapping up