To this day, phishing remains a favorite hacker technique to gain access to a victim’s device. Although best practices to identify and avoid phishing are common knowledge today, several government-backed bad actors leverage phishing tricks in combination with browser and OS vulnerabilities to steal valuable data. Google’s Threat Analysis Group (TAG) is a dedicated team tracking these bad actors, patching vulnerabilities in their wake. It has recently uncovered the full scope of two different attacks exploiting zero-day vulnerabilities.
Google’s TAG actively monitors 30+ commercial spyware vendors offering surveillance and other hacking tools to paying customers like government-backed bad actors who cannot develop such utilities independently. TAG identified two such vendors running operations targeting Android devices, iPhones, the Chrome browser, and the Chromium-based Samsung Internet app.
One attack aimed at Italy, Malaysia, and Kazakhstan used URL shorteners for spam links sent via SMS. If the victim tapped the link, they were redirected to a website hosting malware for Android and iOS, and then redirected again to a legitimate courier tracking website or a Malaysian news platform. On Android, this attack exploited a zero-day vulnerability in Chrome, a zero-day (at the time of the exploit) GPU sandbox bypass, and a privilege escalation bug.
Because the attack relied on Chrome vulnerabilities, the bad actors involved redirected Samsung Internet browser users to Chrome, as opposed to it usually being the other way around. However, all the aforementioned vulnerabilities were identified and patched in late 2022. Vendors haven’t incorporated the fix ARM rolled out for the privilege escalation bug, meaning it is still an active vulnerability on some devices.
The other attack TAG identified was likely the handiwork of a customer of commercial spyware vendor Variston. Coded in C++, the attack targeted users in the UAE by SMS to capture data from web browsers and chat apps installed on the victim’s Android device. Like the previous attack, this one also exploited a few kernel-level zero-day vulnerabilities, and was delivered to the latest version of the Samsung Internet app, then based on Chromium 102. The Korean tech brand fixed these issues in version 19.0.6 of the app rolled out in December 2022, but the browser remains consistently behind Google’s rollout schedule for Chrome.
Although most of the above-mentioned vulnerabilities have been patched, for the umpteenth time, these attacks reiterate the importance of updating your apps and operating systems regularly, and from reputable sources. Google has made the process of auto-updating rather easy with the Play Store, and we cannot emphasize how important it is, especially if security is your top priority.
Often ignoring the associated legalities, attacks using commercial spyware usually target rights workers, journalists, government officials, and state defectors. However, these are targeted attacks typically delivered via conventional phishing links. If you receive clickable links via SMS or email from unverified senders or someone you don’t trust, avoid them at all costs. TAG says the use of link shortener services like Bit.ly is another red flag, because shortened links obscure the real malicious web address.
Staying safe on the internet is all about keeping your wits about you, and avoiding tiny mistakes which cost you dearly.
