ACCORDING to Threat Analysis Group, Google’s researchers tracked two targeted campaigns that used a mix of 0-day and n-day exploits against popular platforms such as Android, iOS and Chrome, with a focus on highly limited, precise targets. Campaign #1, identified in November 2022, involved 0-days in Android and iOS delivered via bit[.]ly links sent by SMS to users in Italy, Malaysia and Kazakhstan, and included CVE-2022-42856 and CVE-2022-4135 among others.
The Android chain also referenced CVE-2022-3723 and CVE-2022-38181, while the iOS chain incorporated the PAC bypass technique and CVE-2021-30900, ultimately enabling a payload capable of pinging GPS and installing an IPA. Campaign #2, uncovered in December 2022, targeted Samsung Internet Browser users in the UAE with a complete exploit chain built from multiple 0-days and n-days, leading to a fully featured Android spyware suite and linked to the Heliconia framework developed by Variston.
The researchers note that patches by vendors reduced impact, with Pixel devices protected by the 2023-01-05 security update and Chrome users protected on versions at least 108.0.5359. These campaigns underscore how commercial spyware vendors proliferate capabilities once reserved for governments, and that even smaller actors can access 0-days.