Commercial Spyware Making Big Money From Zero-Days for Operating Systems, Major Platforms

by | Apr 6, 2023

While the Pegasus zero-click exploit for iOS was the most dangerous and notorious piece of commercial spyware in recent history, the fact that it was shut down has not dissuaded the market from digging up zero-days that similarly target mobile users at the operating system level.

Google’s Threat Analysis Group (TAG) keeps tabs on commercial spyware vendors and finds that a group of about 30 of the world’s more serious players continue to peddle (and make big money from) zero-days for Android, iOS, Chrome and Samsung’s pre-installed mobile device software. While none have yet to replicate something on the order of the Pegasus iOS exploit, these vulnerabilities often exploit chains that mix previously unseen attacks with known issues that manufacturers are slow to patch.

Shadowy brokers remain the leading supplier of zero-days

For some time, quasi-legal “IT” and “security” contractors have been a primary provider of zero-days and world governments have been the #1 consumer. These businesses generally exist by promising to only sell their products to government agencies for legitimate law enforcement purposes, but as the Pegasus leaks have revealed they are often happy to provide them to totalitarian regimes for questionable uses.

Some governments have the resources to discover zero-days for themselves, but many do not. Authoritarian regimes in this category are generally the group most interested in commercial spyware, even as other governments hit the major producers with sanctions and bans.

The Google report examines two commercial spyware brokers that are not named, but one is believed to be at least involved with Spain’s Variston group. In both cases, these outfits provide attack chains that mix zero-days not previously known to the public with “n-days” that have been disclosed and patched but that still linger in some devices.

Commercial spyware not well regulated, frequently abused

One example of these commercial spyware products attacks both iOS and Android devices, but uses differing attack chains and zero-days to do so. In both cases, the opening move of the chain requires that the target have a product that is at least slightly out of date: an iOS version older than 15.1, or an Android device with an ARM GPU that has a version of Chrome older that 106 installed. Users are first targeted with a malicious SMS that poses as either a package delivery notification or a news website, attempting to get them to follow a link to an attack site that exploits the vulnerabilities via JavaScript. In the case of the Android exploit, it would force Chrome to load the page even if another web browser was set as the default.

The second piece of commercial spyware is specifically targeted at out-of-date Samsung Android devices, and is the one that may involve Variston given that it uses an attack site landing page that the group has previously been observed using. This spyware relies on a set of vulnerabilities that began being patched out of Samsung devices some time ago, but that were fully removed as of late 2022.

The second example in particular illustrates how the commercial spyware market takes advantage of how quickly mobile device manufacturers tend to abandon patching and updates for their products; buyers can only realistically expect about two years of support now from Android devices, and in some cases get less than that. Even a security-conscious user can do little if the device is restricted from updating the OS or the pre-installed apps to a modern version. Samsung is not the only entity at fault here, however; Google admits that its own Pixel phones did not patch out the ARM vulnerability used in the first example for several months after it was discovered and documented.

Recent Posts

How can we help?

11 + 3 =

× How can I help you?