Hackers used Spanish-made spyware to target users in the United Arab Emirates, Google says
In November 2022, Google revealed the existence of a then unknown spyware vendor called Variston. Now Google researchers say they have seen hackers using Variston’s tools in the United Arab Emirates.
In a report on Wednesday, Google’s Threat Analysis Group (TAG) said it discovered hackers targeting people in the United Arab Emirates who were using Samsung’s native Android browser, which is a customized version of Chromium. Hackers used a set of vulnerabilities chained together and delivered via unique web links sent to targets via SMS. Of the four vulnerabilities in the chain, two were zero-days at the time of the attack, meaning they had not been reported to the software maker and were unknown at the time, according to the new post. from TAG’s blog.
If a target clicked on the malicious web links, they would have been directed to a landing page “identical to that TAG examined in the Heliconia framework developed by commercial spyware vendor Variston”. (Both campaigns used the same exact and unique landing page, Google told TechCrunch. Once exploited, the victim was allegedly infected with “a comprehensive Android spyware suite” designed to capture data from apps. chat and browser, depending on the message.
“The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or work closely with the spyware vendor,” the blog post reads.
It is unknown who is behind the hacking campaign or who the victims are. A Google spokesperson told TechCrunch that TAG observed about 10 malicious web links in the wild. Some of the links redirected to StackOverflow after exploitation and may have been the attacker’s test devices, Google said. TAG said it was unclear who was behind the hacking campaign.
Samsung did not respond to a request for comment.
Ralf Wegener and Ramanan Jayaraman are the founders of Variston, according to Intelligence Online, an online news publication that covers the surveillance industry. Neither founder responded to a request for comment. Variston is headquartered in Barcelona, Spain. According to business registration records in Italy, Variston acquired Italian zero-day research company Truel in 2018.
Google also said on Wednesday it discovered hackers exploiting a zero-day iOS bug, patched in November, to remotely implant spyware on users’ devices. Researchers say they observed attackers abusing the security flaw as part of an exploit chain targeting owners of iPhones running iOS 15.1 and earlier located in Italy, Malaysia and Kazakhstan.
The flaw was found in the WebKit browser engine that powers Safari and other apps, and was first discovered and reported by Google TAG researchers. Apple patched the bug in December, confirming at the time that the company was aware that the vulnerability was being actively exploited “against versions of iOS released before iOS 15.1”.
Hackers also used a second iOS vulnerability described as a PAC bypass technique that was patched by Apple in March 2022, which Google researchers believe is the exact technique used by North Macedonian spyware developer Cytrox to install its Predator spyware. Citizen Lab previously released a report highlighting the government’s widespread use of Predator spyware.
Google also observed hackers exploiting a chain of three Android bugs targeting devices running an ARM-based graphics chip, including one zero day. Google said ARM released a fix, but several vendors – including Samsung, Xiaomi, Oppo and Google itself – failed to implement the fix, resulting in “a situation where attackers were able to freely exploit the bug for several months,” Google said.
The discovery of these new hacking campaigns is “a reminder that the commercial spyware industry continues to thrive, Google says. “Even smaller surveillance providers have access to 0-days, and providers who secretly store and use 0-day vulnerabilities pose a serious risk to the Internet.”
“These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, allowing the proliferation of dangerous hacking tools,” the blog post says.