Security News > 2023 > March > Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices
2023-03-29 13:52

A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group has revealed.

Upon clicking, the URLs redirected the recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites.

The iOS exploit chain leveraged multiple bugs, including CVE-2022-42856, CVE-2021-30900, and a pointer authentication code bypass, to install an.

The Android exploit chain comprised three exploits - CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181 - to deliver an unspecified payload. While CVE-2022-38181, a privilege escalation bug affecting Mali GPU Kernel Driver, was patched by Arm in August 2022, it's not known if the adversary was already in possession of an exploit for the flaw prior to the release of the patch.

The second campaign, observed in December 2022, consisted of several zero-days and n-days targeting the latest version of Samsung Internet Browser, with the exploits delivered as one-time links via SMS to devices located in the U.A.E. The web page, similar to those that were used by Spanish spyware company Variston IT, ultimately implanted a C++-based malicious toolkit capable of harvesting data from chat and browser applications.

"Even smaller surveillance vendors have access to zero-days, and vendors stockpiling and using zero-day vulnerabilities in secret pose a severe risk to the Internet."


News URL

https://thehackernews.com/2023/03/spyware-vendors-caught-exploiting-zero.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-12-15 CVE-2022-42856 Type Confusion vulnerability in Apple products
A type confusion issue was addressed with improved state handling.
network
low complexity
apple CWE-843
8.8
2022-11-25 CVE-2022-4135 Out-of-bounds Write vulnerability in multiple products
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
network
low complexity
google microsoft CWE-787
critical
9.6
2022-11-01 CVE-2022-3723 Type Confusion vulnerability in Google Chrome
Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
network
low complexity
google CWE-843
8.8
2022-10-25 CVE-2022-38181 Use After Free vulnerability in ARM products
The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled.
network
low complexity
arm CWE-416
8.8
2021-08-24 CVE-2021-30900 Out-of-bounds Write vulnerability in Apple products
An out-of-bounds write issue was addressed with improved bounds checking.
local
low complexity
apple CWE-787
7.8