In December 2022, TAG discovered a complete exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser. The exploits were delivered in one-time links sent via SMS to devices located in the United Arab Emirates (UAE).
The link directed users to a landing page identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor.
The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations. If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations. The exploit chain consisted of multiple 0-days and n-days:
The exploit chain also took advantage of multiple kernel information leak 0-days when exploiting CVE-2022-22706 and CVE-2023-0266. Google reported these vulnerabilities to ARM and Samsung. CVE-2023-26083 was reserved for the information leak in Mali.
Note, Samsung fixed CVE-2022-4262 and CVE-2022-3038 in Samsung’s Browser after version 19.0.6 released at the end of December 2022.
Related IOCs