While the Pegasus zero-click exploit for iOS was the most dangerous and notorious piece of commercial spyware in recent history, the fact that it was shut down has not dissuaded the market from digging up zero-days that similarly target mobile users at the operating system level.
Google’s Threat Analysis Group (TAG) keeps tabs on commercial spyware vendors and finds that a group of about 30 of the world’s more serious players continue to peddle (and make big money from) zero-days for Android, iOS, Chrome and Samsung’s pre-installed mobile device software. While none have yet to replicate something on the order of the Pegasus iOS exploit, these vulnerabilities often exploit chains that mix previously unseen attacks with known issues that manufacturers are slow to patch.
Shadowy brokers remain the leading supplier of zero-days
For some time, quasi-legal “IT” and “security” contractors have been a primary provider of zero-days and world governments have been the #1 consumer. These businesses generally exist by promising to only sell their products to government agencies for legitimate law enforcement purposes, but as the Pegasus leaks have revealed they are often happy to provide them to totalitarian regimes for questionable uses.
Some governments have the resources to discover zero-days for themselves, but many do not. Authoritarian regimes in this category are generally the group most interested in commercial spyware, even as other governments hit the major producers with sanctions and bans.
The Google report examines two commercial spyware brokers that are not named, but one is believed to be at least involved with Spain’s Variston group. In both cases, these outfits provide attack chains that mix zero-days not previously known to the public with “n-days” that have been disclosed and patched but that still linger in some devices.
Commercial spyware not well regulated, frequently abused
The second piece of commercial spyware is specifically targeted at out-of-date Samsung Android devices, and is the one that may involve Variston given that it uses an attack site landing page that the group has previously been observed using. This spyware relies on a set of vulnerabilities that began being patched out of Samsung devices some time ago, but that were fully removed as of late 2022.
The second example in particular illustrates how the commercial spyware market takes advantage of how quickly mobile device manufacturers tend to abandon patching and updates for their products; buyers can only realistically expect about two years of support now from Android devices, and in some cases get less than that. Even a security-conscious user can do little if the device is restricted from updating the OS or the pre-installed apps to a modern version. Samsung is not the only entity at fault here, however; Google admits that its own Pixel phones did not patch out the ARM vulnerability used in the first example for several months after it was discovered and documented.