Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits

Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.

Researchers from Googles Threat Analysis Group (TAG) have discovered two separate, highly-targeted campaigns that use various, unpatched zero-day exploits against users of both iPhone and Android smartphones to deploy
spyware
.
The discoveries — revealed in
a blog post
on March 29 — are the result of active tracking that Google TAG does of commercial spyware vendors, with more than 30 of them currently on the radar screen, the researchers said. These vendors sell exploits or surveillance capabilities to state-sponsored threat actors, thus enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house, the researchers wrote. These are often used to target dissidents, journalists, human rights workers, and opposition-party politicians in potentially life-threatening ways, they noted.
The use of surveillance technologies is currently legal under most national or international laws, and governments have abused these laws and technologies to target individuals that dont align with their agendas. However, since this abuse came under international scrutiny due to the revelation of governments abusing
NSO Groups Pegasus mobile spyware
to target iPhone users,
regulators and vendors alike
have been
cracking down
on the production of and use of commercial spyware.
In fact, on March 28, the Biden administration issued an executive order that falls short of an outright ban on spyware, but
restricts the use of commercial surveillance tools
by the federal government.
Googles findings this week show that those efforts have done little to thwart the commercial-spyware scene, and underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits, TAG researchers wrote in the post.
Specifically, the researchers discovered what they characterize as two distinct, limited, and highly targeted campaigns aimed at users of Android, iOS, and Chrome on mobile devices. Both use zero-day exploits and n-day exploits. Regarding the latter, the campaigns take particular advantage of the period of time between when vendors release fixes for vulnerabilities and when the hardware manufacturers actually update end-user devices with those patches, creating exploits for unpatched platforms, the researchers said.
This demonstrates that those creating the exploits are keeping a close eye on vulnerabilities that they can exploit for nefarious purposes and are likely colluding to maximize the potential for using them to compromise targeted devices, according to TAG. The campaigns also suggest that surveillance software vendors share exploits and techniques to enable the proliferation of dangerous hacking tools, the researchers wrote in the post.
The first campaign that researchers outlined was discovered in November and exploits two vulnerabilities in iOS and three in Android, including at least one zero-day flaw each.
Researchers found initial access attempts that affect both Android and iOS devices that were delivered via
bit.ly links sent over SMS
to users located in Italy, Malaysia, and Kazakhstan, they said. The links redirected visitors to pages hosting exploits for either Android or iOS, then redirected them to legitimate websites — such as a page to track shipments for Italian-based shipment and logistics company BRT, or a popular Malaysian news website, researchers wrote in the post.
The iOS exploit chain targeted versions prior to 15.1 and included an exploit for a WebKit remote code execution (RCE) flaw, tracked as
CVE-2022-42856,
but a zero-day at the time of the exploit. It involves a type confusion issue within the JIT compiler, the exploit used a PAC bypass technique
fixed in March 2022 by Apple
. The attack also exploited a sandbox escape and privilege escalation bug in AGXAccelerator, tracked as
CVE-2021-30900
, which was fixed by Apple in iOS 15.1.
The final payload of the iOS campaign was a simple stager that pings back the GPS location of the device and also allows the attacker to install an .IPA file (iOS application archive) onto the affected handset, researchers said. This file can be used to steal information.
The Android exploit chain in the campaign targeted users on devices that use an ARM GPU running Chrome versions prior to 106, the researchers said. There were three vulnerabilities exploited:
CVE-2022-3723
, a type confusion vulnerability in Chrome that was
fixed in last Octobe
r in version 107.0.5304.87,
CVE-2022-4135
, a Chrome GPU sandbox bypass only affecting Android that was a zero-day when exploited and fixed in November, and
CVE-2022-38181
, a
privilege escalation bug fixed by ARM
last August.
The significance of attacking ARM and CVE-2022-38181 in particular is that when the fix for this flaw was initially released, several vendors — including Pixel, Samsung, Xiaomi, and Oppo — did not incorporate the patch,
giving attackers several months
to freely exploit the bug, researchers said.
Google TAG researchers discovered the second campaign, which includes a complete exploit chain using both zero-days and n-days to target the latest version of Samsung Internet Browser, in December. The browser runs on Chromium 102 and has not been updated to include recent mitigations, which would have required attackers to do additional work to carry out the exploit, the researchers said.
Attackers delivered the exploits in one-time links sent via SMS to devices located in the United Arab Emirates (UAE), the researchers said. The link directed users to a landing page identical to one present in the
Heliconia framework
developed by commercial spyware vendor Variston, they added.
The payload of the exploit in this case was a C++-based, fully-featured Android spyware suite that included libraries for decrypting and capturing data from various chat and browser applications, the researchers wrote. They suspect that the actor involved may be a customer, partner, or otherwise close affiliate of Variston.
Flaws exploited in the chain were
CVE-2022-4262
, a type confusion vulnerability in Chrome that was a zero-day at time of exploitation,
CVE-2022-3038
, a sandbox escape in Chrome fixed in version 105 in June 2022,
CVE-2022-22706
, a vulnerability in
Mali GPU Kernel Driver fixed by ARM
in January 2022, and
CVE-2023-0266
, a race condition vulnerability in the Linux kernel sound subsystem providing kernel read and write access that was a zero-day at the time of exploitation.
The exploit chain also took advantage of multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266 that Google reported to ARM and Samsung, the researchers wrote.
TAG researchers provided a list of indicators of compromise (IoC) to help device users know if theyre being targeted by the campaigns. They also stressed how important it is for vendors as well as users to update their mobile devices with the latest patches as quickly as possible after vulnerabilities and/or exploits for them are discovered.
A big takeaway here would be to use fully updated software on fully updated devices, Google TAG researchers say in response to questions posed by Dark Reading. In this case, none of the exploit chains described would have worked.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Google: Commercial Spyware Used by Governments Laden With Zero-Day Exploits