Android, iOS, Chrome, and Samsung’s Internet browsers are increasingly exposed to commercial spyware attacks. The attacks use links sent via SMS.

Google’s Threat Analysis Group (TAG) recently observed two specific spyware campaigns that can be used to monitor and track smartphone users. The attackers used commercial spyware that exploits zero-day exploits in the Android and iOS operating systems as well as in the Chrome and Samsung Internet browsers. Amnesty International’s security lab alerted Google to one of these campaigns.

The first campaign mentioned by Google uses links sent via SMS. After one click, users end up on websites contaminated with spyware before they are automatically redirected to legitimate websites such as parcel services or news magazines. This campaign targeted users in Italy, Malaysia, and Kazakhstan and took advantage of vulnerabilities in Android and iOS. These were sealed with iOS 15.1 and with Chrome 106.

Interestingly, the campaign used a supposedly automatic redirect from Samsung’s Internet browser to Chrome. In the past, this was exactly the opposite, since the attackers then wanted to exploit a security hole in Samsung’s browser. Samsung also uses Chromium for its own browser but is often a little behind with updates.

Amnesty International discovers spyware in the Middle East

The second spyware campaign is based on tips from Amnesty International. In December 2022, security researchers from the human rights organization discovered that people in the United Arab Emirates had received text messages with phishing links that exploited a vulnerability in Samsung’s internet browser. The link led to a website very similar to one previously used by commercial spyware vendor Variston.

Samsung’s Internet browser was still using Chromium 102 at the end of 2022 and this browser engine is not yet protected against the exploits. Samsung closed the security holes at the end of December last year with version 19.0.6 of its browser. Even if most of the exploited security gaps have now been sealed by updates, Google nevertheless clearly points out the personal responsibility of smartphone users. They should install updates, especially security updates, quickly.

Google counts over 30 commercial spyware providers

According to Google’s TAG, it is currently tracking more than 30 providers who want to sell exploits and surveillance options to government agencies. These usually do not have the resources for their own spyware and therefore use commercial hacking tools. Although surveillance technology is often legal under national and international law, it is also used by some governments against the opposition, dissidents, human rights activists or even journalists. In the United States, President Biden recently restricted the use of commercial spyware.