Several commercial spyware vendors developed and used zero-day exploits against iOS and Android users last year. However, their exploit chains also relied on known vulnerabilities to work, highlighting the importance of both users and device manufacturers to speed up the adoption of security patches.
"The zero-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices," researchers with Google's Threat Analysis Group (TAG) said in a report detailing the attack campaigns. "Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalise exploits."
The iOS spyware exploit chain
Apple has a much tighter grip on its mobile ecosystem being both the sole hardware manufacturer of iOS devices and the creator of the software running on them. As such, iPhones and iPads have historically had a much better patch adoption rate than Android, where Google creates the base OS and then tens of device manufacturers customise it for their own products and maintain their own separate firmware.
In November 2022, Google TAG detected an attack campaign via SMS that targeted both iOS and Android users in Italy, Malaysia, and Kazakhstan using exploit chains for both platforms. The campaign involved bit.ly shortened URLs that, when clicked, directed users to a web page delivering the exploits then redirected them to legitimate websites, such as the shipment tracking portal for Italian logistics company BRT or a popular news site from Malaysia.
The iOS exploit chain combined a remote code execution vulnerability in WebKit, Apple's website rendering engine used in Safari and iOS, that was unknown and unpatched at the time. The flaw, now tracked as CVE-2022-42856, was patched in January after Google TAG reported it to Apple.
However, a remote code execution flaw in the web browser engine is not enough to compromise a device, because mobile operating systems like iOS and Android use sandboxing techniques to limit the privileges of the browser. Therefore, the attacker combined this zero-day vulnerability with a sandbox escape and privilege escalation flaw (CVE-2021-30900) in AGXAccelerator, a component of the GPU drivers, that Apple had patched in iOS 15.1 back in October 2021.
The exploit chain also used a PAC bypass technique that Apple fixed in March 2022 and which was previously seen in exploits used by a commercial spyware vendor called Cytrox in 2021 to distribute its Predator spyware in a campaign against an Egyptian political opposition leader living in exile and an Egyptian news reporter. In fact, both exploits had a very specific function called make_bogus_transform, which suggests they could be related.
In the November campaign seen by Google TAG, the final payload of the exploit chain was a simple piece of malware that periodically reported back to the attackers the GPS location of the infected devices, but also provided them with the ability to deploy .IPA (iOS application archive) files on the affected devices.
The Android spyware exploit chain
Android users were served a similar exploit chain that combined a code execution vulnerability in the browser engine, this time Chrome, with a sandbox escape and privilege escalation.
The code execution flaw was CVE-2022-3723, a type confusion vulnerability found in the wild by researchers from antivirus vendor Avast and patched in Chrome version 107.0.5304.87 in October 2022. This was combined with a Chrome GPU sandbox bypass (CVE-2022-4135) that was fixed in Android in November 2022, but was a zero-day at the time when it was exploited, and an exploit for a vulnerability in the ARM Mali GPU drivers (CVE-2022-38181) that ARM had issues patches for in August 2022.
This exploit chain, whose payload has not been recovered, worked against users of Android devices with ARM Mali GPUs and a Chrome version lower than 106. The issue is that once ARM issues patches for its code it can take months for device manufacturers to integrate them into their own firmware and issue their own security updates. With the Chrome bug users had less than a month to install the update before this campaign hit.
This highlights how important it is for both device manufacturers to speed up the integration of patches for critical vulnerabilities and for users to keep the apps on their devices up to date, especially critical ones like browsers, email clients and so on.
Spyware exploit chain against Samsung devices
A separate campaign, discovered in December 2022, targeted users of the Samsung Internet Browser, which is the default browser on Samsung Android devices and is based on the Chromium open-source project. This campaign also used links sent via SMS to users in the United Arab Emirates, but the landing page that delivered the exploit was identical to the one TAG previously observed for the Heliconia framework developed by commercial spyware vendor Variston.
This exploit combined multiple zero-day flaws and n-day flaws, but which were zero-days for the Samsung Internet Browser or the firmware running on Samsung devices at the time.
One of the vulnerabilities was CVE-2022-4262, a code execution type confusion vulnerability in Chrome fixed in December 2022. This was combined with a sandbox escape (CVE-2022-3038) that was fixed in August 2022 in Chrome version 105. However, the Samsung Internet Browser at the time of the attack campaign was based on Chromium version 102 and did not include these latest mitigations, showing again how attackers take advantage of the slow patch windows.
The exploit chain also relied on a privilege escalation vulnerability (CVE-2022-22706) in the ARM Mali GPU kernel driver that ARM fixed in January 2022. When the attacks took place in December 2022, the latest firmware version on Samsung devices had not incorporated the fix yet.
The exploit chain also included another zero-day privilege escalation vulnerability (CVE-2023-0266) in the Linux kernel sound subsystem that gave attackers kernel read and write access, as well as multiple kernel information leak zero-days that Google reported to both ARM and Samsung.
"These campaigns continue to underscore the importance of patching, as users wouldn't be impacted by these exploit chains if they were running a fully updated device," the Google TAG researchers said. "Intermediate mitigations like PAC, V8 sandbox and MiraclePTR have a real impact on exploit developers, as they would have needed additional bugs to bypass these mitigations."