Hacking campaign exploited zero-day tied to spyware firm

A spyware campaign driven by "mercenary" hackers exploited a zero-day vulnerability in Android devices, reported Amnesty International’s Security Labs.

In its report, released Wednesday, security researchers said they notified Google of the spyware campaign in December, which sparked software updates that prevented the hack from being executed on the “billions of Android, Chrome and Linux users” vulnerable to the zero-day flaw.

The human rights organization did not name the spyware company while it continues to investigate and track its activities. However, Amnesty International said “the attack showed all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.”

Also on Wednesday, Google’s Threat Analysis Group (TAG) detailed the zero-day reported by Amnesty International, as well as a zero-day in iOS devices used in a separate spyware campaign.

The reports of the spyware campaigns that governments are using against dissidents, journalists, human rights workers and political opposition members come the same week that U.S. President Joe Biden issued a ban on federal agencies from using commercial spyware except in certain cases, such as research.

Amnesty International shared its technical findings with Google TAG and other vendors, including Samsung, which released security updates for devices affected by the exploit.

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, in a press release. He also called for a global moratorium on the sale, transfer and use of spyware until safeguards are in place for human rights.

Google captured the zero-day exploit chain used to hack Android devices in December. The campaign has been active since at least 2020, according to Amnesty International, and targeted mobile and desktop devices, including Google’s Android OS. The spyware and exploits came from a network of over 1,000 malicious domains, which included spoofed media sites in multiple countries. 

Android users in United Arab Emirates were targeted with links sent via SMS, which installed the spyware on the target’s phone if clicked, and identified activity related to the campaign in Indonesia, Belarus and Italy. 

According to Amnesty International, Google TAG determined that the exploit chain used multiple zero-days in a fully patched Samsung Android device, as well as in the Linux kernel to gain root privileges on the phone, and Linux desktop and embedded systems.

Google details spyware campaigns, zero-day exploits

Google TAG detailed two campaigns in a March 29 blog post. The first campaign — CVE-2022-42856; CVE-2022-4135 — was discovered in November affecting Android and iOS devices via bit.ly links sent via SMS to users in Italy, Malaysia and Kazakhstan.

The iOS exploit chain targeted versions before 15.1 and included CVE-2022-42856, which is a WebKit remote code execution exploiting a type of confusion within the JIT compiler. Also exploited was a PAC bypass technique, which Apple fixed in March 2022.

The Android exploit targeted users on phones with an ARM GPU running Chrome versions prior to 106, and consisted of three zero-day exploits: CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181.

The second campaign, reported to TAG by Amnesty International, targeted zero-days and n-days in the latest version of Samsung Internet Browser (CVE-2022-4262; CVE-2023-0266). The exploit chain, Google explained, delivered a fully featured Android spyware suit written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications.