On November 20, 2022, Google disclosed the existence of a previously unknown spyware maker known as Variston. Today, Google researchers say they have observed hackers using Variston’s tools within the United Arab Emirates.
In a report released on Wednesday Google’s Threat Analysis Group (TAG) reported that hackers had targeted individuals in the UAE who use Samsung’s official Android browser which is a modified variation of Chromium. The hackers made use of a number of vulnerabilities linked together and were delivered through one-time internet hyperlinks sent to the victims via text message. Out of four weaknesses within the chain, two of them were zero days at that time. This means they were not disclosed to the software manufacturer and were not known at the time, as per the new blog post from TAG.
If the target clicked the malicious websites and clicked on the malicious links, they were taken to a landing page “identical to the one TAG examined in the Heliconia framework developed by commercial spyware vendor Variston.” (Both campaigns employed the exact and unique landing page), Google stated to TechCrunch. After being exploited, the victim will be infected by “a fully featured Android spyware suite” that is designed to steal information from chat and browser apps, as per the blog post.
“The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor,” the blog post stated.
It’s not clear who is behind the hacking attack and who the victims are. A Google spokesperson confirmed to TechCrunch that TAG discovered around 10 malicious websites out in the open. A few of these links were redirecting to StackOverflow upon exploitation. These might have been used by the hackers’ testing machines, Google said. TAG claimed that it was unclear what was the motive behind this hacking attack.
Samsung spokeswoman Chris Langlois said that the company has “already taken necessary steps to prevent these potential exploit chains by issuing patches for the Samsung Internet app in December 2022.”
“December’s update to the Samsung Internet application block the entry points to the remaining vulnerabilities and make sure that the devices are safe. We are working closely along with our partner companies to issue patches to all remaining flaws as quickly as possible, which will begin in April. We recommend that all users keep their devices up-to-date with the latest software in order to provide the best degree of security,” Langlois said.
Ralf Wegener, as well as Ramanan Jayaraman, are the founders of Variation According to Intelligence Online, an online news magazine that covers the surveillance industry. The two were the owners of half of the company in the year 2018, as per Spanish business records.