Connect with us

Hi, what are you looking for?



Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors

Google has linked several zero-day vulnerabilities used last year to target Android and iOS devices to commercial spyware vendors.

iOS exploits used by Pegasus spyware

Several zero-day vulnerabilities patched last year had been exploited by commercial spyware vendors to target Android and iOS devices, according to a report published on Wednesday by Google’s Threat Analysis Group (TAG). 

Google’s security researchers have detailed the zero-day and n-day vulnerabilities exploited in what they described as two different highly targeted campaigns. For many of the zero-days, no information was available until now on the attacks exploiting them. 

The internet giant has been tracking more than 30 spyware vendors that provide exploits and surveillance solutions to governments. While the surveillance technologies themselves may not be illegal — they are typically advertised as solutions designed for official intelligence and law enforcement operations — the problem is that they are often used by governments to target the opposition, journalists, and dissidents. 

In one of the two campaigns described by Google on Wednesday, an attack started with a link being sent to the targeted user via SMS. When clicked, the link took the victim to malicious websites delivering Android or iOS exploits — depending on the target’s device. Once the exploits were delivered, victims were redirected to legitimate websites, likely in an effort to avoid raising suspicion. 

The iOS exploit chain involved CVE-2022-42856, a WebKit vulnerability that Apple patched in iPhones in December 2022 with an iOS update. Attacks also involved a Pointer Authentication (PAC) bypass technique, and an exploit for CVE-2021-30900, a sandbox escape and privilege escalation vulnerability that Apple patched in iOS in 2021. 

The Android exploit chain targeted CVE-2022-3723, a Chrome zero-day fixed by Google in October 2022. 

It also targeted CVE-2022-4135, a Chrome flaw that Google patched in November 2022 — it was the eighth Chrome zero-day of 2022. This is a Chrome GPU sandbox bypass that only impacts Android devices. 

Advertisement. Scroll to continue reading.

The Android chain also included exploitation of CVE-2022-38181, an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones. A patch was released by Arm in August 2022, but it was only rolled out to Pixel devices in January 2023. 

“When Arm released a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo and others, did not incorporate the patch, resulting in a situation where attackers were able to freely exploit the bug for several months,” Google said, noting that it’s unclear if attackers had been exploiting the flaw before it was responsibly disclosed to Arm.

This campaign targeted users in Italy, Malaysia and Kazakhstan.

Google reported last year that Apple and Android smartphones in Italy and Kazakhstan had been targeted using spyware made by Italian company RCS Lab. However, Google noted in its new blog post that one of the techniques used against iOS devices has also been leveraged by the Predator spyware, made by North Macedonian spyware vendor Cytrox.

In the second campaign, discovered in December 2022, the attackers targeted the Samsung Internet Browser by chaining various zero-day and n-day vulnerabilities. 

In this campaign as well, the exploits were delivered as links sent via SMS. The attacks were aimed at users in the United Arab Emirates and the goal was the delivery of full-featured Android spyware. 

Google believes the attack was carried out by a customer or partner of Variston, a Spanish commercial spyware vendor whose exploitation frameworks were described by the internet giant last year. 

The attackers exploited several Chrome vulnerabilities. The Samsung browser is based on Chromium, which means it’s impacted by the same flaws as Chrome. However, the Samsung browser does not include some mitigations that would have made exploitation more difficult. 

The list of exploits included CVE-2022-4262, a Chrome zero-day fixed by Google in December 2022, and CVE-2022-3038, a Chrome sandbox escape.

The campaign also targeted CVE-2022-22706, a Mali GPU kernel driver issue fixed by Arm in January 2022, and CVE-2023-0266, a Linux kernel sound subsystem flaw that gives the attacker kernel read and write access. Both of these vulnerabilities were exploited in the wild against Android devices before patches were released. 

Google has made available indicators of compromise (IoCs) that can be used to detect these attacks. 

Related: Google Reveals Spyware Vendor’s Use of Samsung Phone Zero-Day Exploits

Related: US to Adopt New Restrictions on Using Commercial Spyware

Related: Leaked Docs Show Spyware Firm Offering iOS, Android Hacking Services for $8 Million

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...