UPDATED 20:41 EDT / MARCH 29 2023

SECURITY

Google researchers detail recently discovered campaigns targeting iOS, Android and Chrome

Google LLC’s Threat Analysis Group today revealed the details of two recently discovered campaigns that use various unpatched or “zero-day” exploits against Android, iOS and Chrome.

The first campaign was discovered in November and targeted victims through bit.ly links sent to users over SMS text messages in Italy, Malaysia and Kazakhstan. When clicked, the malicious links redirect visitors to pages hosting exploits before redirecting victims to legitimate websites, such as the page to track shipments for Italian-based shipment and logistics company BRT or a popular Malaysian news website.

The vulnerabilities exploited in the campaign target versions of iOS before 15.1, Android and Chrome versions before version 106. For Apple users, the campaign targeted two known common vulnerabilities and exposures, or CVEs. One uses a PAC bypass technique that Apple fixed in March 2022 and a second exploits a sandbox escape and privilege escalation bug in AGXAccelerator that was fixed by Apple in iOS 15.1.

The Android exploit chain targeted users on phones with an Arm Ltd. graphics processing unit running Chrome versions before 106. As with Apple users, those behind the campaign targeted known CVEs that had subsequently been fixed in Chrome 107 and later and an Arm privilege escalation bug fixed in August 2022.

The second campaign, discovered in December, involved multiple exploits targeting the latest version of the Samsung Internet Browser. All Samsung Electronics Co. Ltd. device users have the browser installed as it’s part of its standard software.

As with the first campaign, potential victims are targeted through onetime links sent via SMS, although this campaign targeted users in the United Arab Emirates. The link directed users to a landing page identical to one developed by spyware provider Variston IT S.L. Google’s researchers noted that the actor using the exploit chain may be a customer or partner of Variston or otherwise working closely with the vendor.

The exploit chain in the second campaign delivered a fully featured Android spyware suite written in the C++ programming language that included libraries for decrypting and capturing data from various chat and browser applications.

The vulnerabilities targeted in the campaign were all previously found in Chrome but were patched through 2022. However, Samsung uses Chrome 102 as the base for its internet browser. Because the base code has not been updated, Samsung’s browser hasn’t been patched.

“These campaigns are a reminder that the commercial spyware industry continues to thrive,” the researchers wrote. “Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the internet.”

The researchers added that the campaigns “may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools.”

Image: Needpix

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU