Man holding mobile phone with system warning showing commercial spyware vendors and zero-days

Commercial Spyware Vendors Selling Zero-Days, Exploit Chains for Android, iOS and Chrome

A new report from Google demonstrates that commercial spyware vendors are developing and selling advanced attack methods, including zero-days, of the sort that were once only developed in-house by advanced government hacking teams. The situation is such that governments are now often relying on these vendors for their capabilities.

The report comes from Google’s Threat Analysis Group (TAG), which tracks over 30 of these commercial spyware vendors. The current crop of zero-days, which the report saw deployed in late 2022, targets Android and iOS as well as the Chrome and Samsung web browsers.

Commercial spyware vendors peddle attack chains for major mobile OS and browsers

The Google report notes two examples of commercial spyware in which zero-days are used to open the door, in tandem with n-days (known vulnerabilities with patches available) to increase privileges and access.

The first of these was discovered in November 2022, and directly attacks both iOS and Android. This attack chain opens with zero-days that target either iOS versions prior to 15.1, or Android devices with an ARM GPU running a Chrome version prior to 106. This attack was initiated by SMS, with messages found sent to Italy, Kazakhstan and Malaysia. Targets would receive one of two messages: either a forged package delivery notification purporting to come from Italian shipping service BRT, or a news website in Malaysia.

In both cases, if the victim clicked on the malicious link they would be redirected to a mock-up of the legitimate websites that then attempted to deploy the zero-days via JavaScript. Apple devices would be targeted with a WebKit remote code execution exploit, while Android users were hit with an “Intent Redirection” that would force Chrome to load the page even if another browser was selected as the default. Google notes that attackers often use Intent Redirect to push targets to a particular browser with a known exploit, but they are usually being directed away from Chrome rather than to it.

The second piece of commercial spyware is just such an example, focusing on multiple zero-days in the Samsung Internet Browser. This was discovered in December 2022, another campaign of SMS messages with malicious links but this time delivered to targets in the United Arab Emirates (UAE).

Google does not attribute the creators of the commercial spyware in this report, but does note that this second piece redirects targets to a landing page type previously seen used by Barcelona-based group Variston. This attack chain was designed to implant a “full-featured spyware suite” on Android devices by exploiting a grouping of vulnerabilities (including zero-days) in the browser that were present prior to the release of version 19.0.6 in late 2022.

Zero-days increasingly found, sold by brokers

While governments may turn to commercial spyware developers for zero-days out of convenience or opportunity, the real threat posed by this market is that it puts these capabilities in the hands of smaller governments that would not otherwise be able to develop them independently. As the report notes, these tools are often deployed to track dissidents, journalists that report on government malfeasance, and human rights activists, rather than the terrorists and child abusers that they are purported to be intended for.

Pegasus and its notorious exploits brought strong regulatory focus to the commercial spyware market, leading to restrictions and bans in some countries (along with legal pushback by Apple, who saw their mobile OS compromised by a zero-day that could be initiated via iMessage without any user interaction). But Google finds that these efforts are not yet bringing this sometimes-rogue market to heel. Governments with bad intentions are still free to purchase commercial spyware and zero-days from operators that are not even trading through the black market, but distributing out in the open as “security providers” or “IT consultants.”

The incident also illustrates how vital it is for manufacturers in the Android market to keep up with patching, as failure to do so can turn zero-days into n-days that persist for months (or longer). The Google report notes that ARM had released a patch for the vulnerability that was crucial to the Android attack string in one of these cases, but a number of major manufacturers (including Samsung and Google’s own Pixel) failed to implement it for a few months following its release, thus leaving an unnecessary attack window open for certain device types.

The Google report also indicates that some commercial spyware vendors may be collaborating, sharing zero-days to create more effective attack chains to market to their customers. A recent executive order from the Biden administration broadly banned tools of this nature that “threaten national security” from use by federal governments, and encouraged the development of “responsible norms” to be used in deploying them. A mid-March UN report also named state spyware among modern threats to human rights for which stronger regulation should be adopted around the world.