Security News > 2023 > March > Spyware Vendors Caught Exploiting Zero-Day Vulnerabilities on Android and iOS Devices

A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group has revealed.
Upon clicking, the URLs redirected the recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites.
The iOS exploit chain leveraged multiple bugs, including CVE-2022-42856, CVE-2021-30900, and a pointer authentication code bypass, to install an.
The Android exploit chain comprised three exploits - CVE-2022-3723, CVE-2022-4135, and CVE-2022-38181 - to deliver an unspecified payload. While CVE-2022-38181, a privilege escalation bug affecting Mali GPU Kernel Driver, was patched by Arm in August 2022, it's not known if the adversary was already in possession of an exploit for the flaw prior to the release of the patch.
The second campaign, observed in December 2022, consisted of several zero-days and n-days targeting the latest version of Samsung Internet Browser, with the exploits delivered as one-time links via SMS to devices located in the U.A.E. The web page, similar to those that were used by Spanish spyware company Variston IT, ultimately implanted a C++-based malicious toolkit capable of harvesting data from chat and browser applications.
"Even smaller surveillance vendors have access to zero-days, and vendors stockpiling and using zero-day vulnerabilities in secret pose a severe risk to the Internet."
News URL
https://thehackernews.com/2023/03/spyware-vendors-caught-exploiting-zero.html
Related news
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- New North Korean Android spyware slips onto Google Play (source)
- Phishing platform 'Lucid' behind wave of iOS, Android SMS attacks (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Google fixes Android zero-days exploited in attacks, 60 other flaws (source)
- Google Releases Android Update to Patch Two Actively Exploited Vulnerabilities (source)
- Patch Tuesday: Microsoft Fixes 134 Vulnerabilities, Including 1 Zero-Day (source)
- iOS devices face twice the phishing attacks of Android (source)
- SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps (source)
- Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-12-15 | CVE-2022-42856 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 8.8 |
2022-11-25 | CVE-2022-4135 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
2022-11-01 | CVE-2022-3723 | Type Confusion vulnerability in Google Chrome Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2022-10-25 | CVE-2022-38181 | Use After Free vulnerability in ARM products The Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. | 8.8 |
2021-08-24 | CVE-2021-30900 | Out-of-bounds Write vulnerability in Apple Iphone OS An out-of-bounds write issue was addressed with improved bounds checking. | 7.8 |