The Google Threat Analysis Group (TAG) recently unearthed that two separate campaigns were conducted last year in order to exploit a number of zero-day and n-day vulnerabilities on Android and iOS devices.
What is an n-day vulnerability? An N-day exploit is a vulnerability that has already been exploited and has a patch available to fix it. This is different from a zero-day exploit, which is a vulnerability that has been newly discovered and is yet to be patched by the vendor.
These campaigns, carried out by commercial spyware vendors, were limited and highly targeted, taking advantage of the time between when a fix was released and when it was implemented on the targeted devices. However, the magnitude and specifics of these campaigns is still unknown.
Spyware Vendors and Zero-Day Exploitation
TAG has been monitoring individuals engaged in information operations, government-backed attacks, and financially driven abuse for years. Recently, TAG has been keeping a close eye on more than 30 commercial spyware vendors of various levels of proficiency and visibility, who are selling exploit and surveillance abilities to government-backed entities.
Such vendors are making it easier for government entities to obtain hacking tools that they would otherwise not be able to develop themselves. Even though the utilization of surveillance technology may be permissible under certain laws, these tools are regularly used by governments to target dissidents, journalists, human rights activists, and opposition political figures, TAG’s Clement Lecigne wrote in a blog post.
In November 2022, TAG uncovered attack chains with 0-days that affected Android and iOS devices, which were sent out to users in Italy, Malaysia, and Kazakhstan via bit.ly links sent over SMS. When clicked, these links would take visitors to pages containing exploits specifically designed for Android or iOS, before redirecting them to legitimate websites such as the page to track shipments for BRT, an Italian-based shipment and logistics company, or a well-known Malaysian news website.
The iOS Exploit Chain
The iOS exploit chain was set against OS versions prior to 15.1 and included CVE-2022-42856, a zero-day WebKit remote code execution vulnerability due to a type confusion issue within the JIT compiler. The exploit used the DYLD_INTERPOSE PAC bypass technique, which was fixed by Apple in March 2022. The same technique was used in Cytrox’s exploits, as noted in Citizenlab’s blog post about Predator. Both exploits featured the “make_bogus_transform” function as part of the PAC bypass.
Another exploited zero-day is CVE-2021-30900, a sandbox escape and privilege escalation bug in AGXAccelerator, which was fixed by Apple in the 15.1 update. This bug had been previously documented in an exploit for oob_timestamp released on Github in 2020.
The Android Exploit Chain
The chain of Android exploits was targeting users with ARM GPUs running Chrome versions before 106. The chain is composed of three exploits, including one zero-day: CVE-2022-3723, a type confusion vulnerability detected by Avast in the wild, and fixed in October 2022 as part of version 107.0.5304.87. CVE-2022-4135 is a Chrome GPU sandbox bypass that only affected Android, which was classified as a zero-day at the time of exploitation and was patched in November 2022. CVE-2022-38181 was also used, a privilege escalation bug patched by ARM in August 2022. It is still unknown if attackers had an exploit for this vulnerability before it was reported to ARM.
It is noteworthy that users were redirected to Chrome using Intent Redirection if they were coming from the Samsung Internet Browser. This is the opposite of what we have seen attackers do in the past, like in the case of CVE-2022-2856, where users were redirected from Chrome to the Samsung Internet Browser. The payload of this exploit chain was not available.
When ARM released a fix for CVE-2022-38181, many vendors failed to immediately incorporate the patch, allowing for the bugs to be exploited. This was recently pointed out by blog posts from Project Zero and Github Security Lab.
It is important to note that Pixel devices with the 2023-01-05 security update and Chrome users updated to version 108.0.5359 are protected from both of the exploit chains, TAG noted.