Researchers from Google’s Threat Analysis Group (TAG) in a report detailed the vendors of commercial spyware developed and used zero-day exploits against iOS and Android devices. The exploit chains also relied on known vulnerabilities to work, highlighting the importance of both users and device manufacturers to speed up the adoption of security patches.
The Exploit chains have been detailed out below.
iOS spywares exploit chain
Apple has a much tighter grip on its mobile ecosystem being both the sole hardware manufacturer of iOS devices and the creator of the software running on them.
- Google TAG detected a campaign in November 2022 via SMS that targeted both iOS and Android users in Italy, Malaysia, and Kazakhstan using exploit chains for both platforms. The campaign involved bit.ly shortened URLs that, when clicked, directed users to a web page delivering the exploits and then redirected them to legitimate websites, such as the shipment tracking portal for Italian logistics company BRT or a popular news site from Malaysia.
- The iOS exploit chain combined a remote code execution vulnerability in WebKit, Apple’s website rendering engine used in Safari and iOS, that was unknown and unpatched at the time. The flaw is tracked as CVE-2022-42856, patched in January 2023.
- The RCE flaw in the web browser engine is not enough to compromise a device, because mobile operating systems like iOS and Android use sandboxing techniques to limit the privileges of the browser. The attacker combined this zero-day vulnerability with a sandbox escape and privilege escalation flaw (CVE-2021-30900) in AGXAccelerator, a component of the GPU drivers, that Apple had patched in iOS 15.1 back in October 2021.
- The exploit chain also used a PAC bypass technique that Apple fixed in March 2022, and which was previously seen in exploits used by a commercial spyware vendor called Cytrox in 2021 to distribute its Predator spyware in a campaign against an Egyptian political opposition leader living in exile and an Egyptian news reporter.
- The final payload of the exploit chain was a simple piece of malware that periodically reported back to the attackers the GPS location of the infected devices but also provided them with the ability to deploy .IPA files on the affected devices.
Android spyware exploit chain
Android exploit chain that combines a code execution vulnerability in the browser engine, this time Chrome, with a sandbox escape and privilege escalation.
- The code execution flaw was tracked as CVE-2022-3723, a type confusion vulnerability found and exploited in wild in Chrome version 107.0.5304.87 and patched in October 2022. This was combined with a Chrome GPU sandbox bypass tracked as CVE-2022-4135 that was fixed in Android in November 2022 but was a zero-day at the time when it was exploited, and an exploit for a vulnerability in the ARM Mali GPU drivers tracked as CVE-2022-38181 that ARM had issues patches for in August 2022.
- This exploit chain, whose payload has not been recovered, worked against users of Android devices with ARM Mali GPUs and a Chrome version lower than 106.
- The issue is that once ARM issues patch for its code it can take months for device manufacturers to integrate them into their own firmware and issue their own security updates. With the Chrome bug users had less than a month to install the update before this campaign hit.
This highlights how important it is for both device manufacturers to speed up the integration of patches for critical vulnerabilities and for users to keep the apps on their devices up to date, especially critical ones like browsers, email clients.
Exploit Chain in Samsung
The campaign in Samsung devices used links sent via SMS to users in the United Arab Emirates, but the landing page that delivered the exploit was identical to the one TAG previously observed for the Heliconia framework developed by commercial spyware vendor Variston. This campaign combines several Zeroday flaws.
- CVE-2022-4262, a code execution type confusion vulnerability in Chrome fixed in December 2022.
- Combined with a sandbox escape tracked as CVE-2022-3038 that was fixed in August 2022 in Chrome version 105.
- During the time of the attack campaign was based on Chromium version 102 and did not include these latest mitigations, showing again how attackers take advantage of the slow patch windows.
- The exploit chain also relied on a privilege escalation vulnerability tracked as CVE-2022-22706 in the ARM Mali GPU kernel driver that ARM fixed in January 2022.
- The exploit chain also included another zero-day privilege escalation vulnerability tracked as CVE-2023-0266 in the Linux kernel sound subsystem that gave attackers kernel read and write access, as well as multiple kernel information leak zero-days in both ARM and Samsung.
Indicators of Compromise
- https://cdn.cutlink[.]site/p/uu6ekt – landing page
- https://api.cutlink[.]site/api/s/N0NBL8/ – Android exploit chain
- https://api.cutlink[.]site/api/s/3PU970/ – iOS exploit chain
- https://imjustarandomsite.3utilities[.]com – exploit delivery server
- http://www.sufficeconfigure[.]com – landing page and exploit delivery
- http://www.anglesyen[.]org – malware C2
- The following Android system properties might indicate signs of exploitation
- sys.brand.note
- sys.brand.notes
- sys.brand.doc
- The following directory on the phone might indicate signs of infection
- /data/local/tmp/dropbox
