Researchers detect new spyware campaigns exploiting iOS and Android zero days


Two attack campaigns that targeted iOS and Android users with zero-days exploits have been identified and disrupted by researchers at Google’s Threat Analysis Group and Amnesty International’s Security Lab.

Both campaigns bear the hallmarks of state-sponsored campaigns and affected victims in Malaysia, Kazakhstan, Italy, and the United Arab Emirates.

In each case, attackers were using zero-day exploits for both iOS and Android, meaning cybersecurity professionals had no time to patch the previously unknown vulnerabilities. Such glitches are highly prized by cybercriminals because they allow them to catch digital defenders unawares.

The first campaign began with attackers sending short links to victims via text messages. After clicking on the links, targets were directed to websites that delivered the exploits.

Zero-day exploits are, of course, particularly dangerous as they enable attackers to compromise even fully updated phones because the vulnerability has not been spotted by the developer during previous bug patches.

Google’s Threat Analysis Group (TAG) said in a blog post it discovered the campaign in November 2022 and was able to capture the exploit chain for both iOS and Android.

TAG has reported these vulnerabilities to vendors and acknowledged the quick response and patching of those vulnerabilities by Google’s Chrome, Pixel, Android, and Apple teams. It also thanked Amnesty International’s Security Lab for its help uncovering the second campaign.

Amnesty International said in its own blog that the Security Lab exposed a “sophisticated” hacking campaign by a mercenary spyware company. The name of said firm is not disclosed.

According to Amnesty International, the attack showed all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” said Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab.

“While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis,” he added. “We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyberattacks will continue to be used as a tool of repression against activists and journalists.”

The Security Lab’s findings allowed Google to capture a new zero-day exploit chain in December 2022 that was being used to hack Android devices. The campaign has been active since at least 2020 and targeted mobile and desktop devices.

The revelations by Google and Amnesty come soon after US president Joe Biden signed an executive order curtailing the use of digital spy tools.

The new rules would ban certain spyware vendors from selling to US government agencies if they are found doing business with foreign governments identified by American intelligence as known abusers of human rights.