Google TAG (Threat Analysis Group), the team that deals with cyberattacks mostly conducted by government agencies (as opposed to Project Zero which looks for vulnerabilities in commercial devices), said it discovered a series of exploit chains for Android, iOS and Chrome exploiting 0-day and n-day vulnerabilities to install commercial spyware and other types of malware on victims’ devices.
A first campaign was spotted around November 2022, targeting both Android and iOS devices, with different sets of exploits. A shortened link was sent via SMS to the victims via the Bit.ly service which spoke of phantom lost parcels; if you followed it, you would first end up on an infected web page that triggered the exploits, and immediately afterwards on the legitimate sites of couriers and shippers from various countries (including Italy).
In this way it became difficult to realize that they had been attacked. The malware, always explains TAG, mainly served to constantly monitor the position of the devices. Google notes that ARM had released a patch for one of the security flaws, related to GPUs; However, several manufacturers have not implemented itleaving devices exposed to attacks for several months.
Note that the report of Bleeping Computers includes a quotation mark attributed to Clement Lecigne, part of TAG and author of the report, in which “Pixel, Samsung, Xiaomi, Oppo and othersas manufacturers who didn’t roll out the patch in a timely manner, but the original article (link in SOURCE at bottom of page) now appears to have been edited, removing any explicit names. However, heading over to the November 2022 Project Zero post that spoke expressly of that flaw, code CVE-2022-38181, the four names are reported in exactly the same way immediately at the beginning of the post.
A second campaign was launched in December, this time targeting Samsung devices via the Samsung Internet Browser. It took place mostly in the United Arab Emirates; the target of the exploits was to install a complete spyware suite developed in C++, which included libraries to extract information from various chat apps and various web browsers. Amnesty International’s cybersecurity team has also been working on the investigation, and claims this malware campaign has been active since at least 2020.