Google’s Threat Analysis Group (TAG) has been tracking the activities of commercial spyware vendors that sell exploits or surveillance capabilities to government-backed actors. In a recent blog post, the company shared details about two distinct campaigns that it recently discovered, which used various zero-day exploits against Android, iOS, and Chrome. The first campaign, which was limited and highly targeted, was delivered via bit.ly links sent over SMS to users located in Italy, Malaysia, and Kazakhstan. The second campaign, discovered in December 2022, was a complete exploit chain consisting of multiple zero-day exploits and n-days targeting the latest version of Samsung Internet Browser.
These campaigns underscore the extent to which commercial surveillance vendors have proliferated capabilities that were historically only used by governments with the technical expertise to develop and operationalize exploits. Such vendors enable the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers, and opposition party politicians.
The iOS exploit chain used in the first campaign targeted versions prior to 15.1 and contained the following exploits, including one zero-day: CVE-2022-42856, a WebKit remote code execution exploiting a type confusion issue within the JIT compiler, and CVE-2021-30900, a sandbox escape and privilege escalation bug in AGXAccelerator. The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106. It consisted of three exploits, including one zero-day: CVE-2022-3723, a type confusion vulnerability in Chrome, CVE-2022-4135, a Chrome GPU sandbox bypass affecting Android, and CVE-2022-38181, a privilege escalation bug fixed by ARM in August 2022.
The second campaign was targeted at the latest version of Samsung Internet Browser, and the exploits were delivered in one-time links sent via SMS to devices located in the United Arab Emirates. It consisted of multiple zero-day exploits and n-days, including CVE-2022-4262, a use-after-free vulnerability in Blink that was used to achieve arbitrary read/write. The final payload was a simple stager that gave the attacker the ability to execute arbitrary code with the privileges of the browser process.
Users are advised to update to the latest security patches for their devices and software to protect against these exploits.
You could find original report here https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/