Amnesty International’s Security Lab has uncovered a hacking campaign targeting devices running on the Android operating system. In a press release on Wednesday, the human rights group said a “mercenary spyware company” was behind the campaign. It did not name the company as it continues to monitor its activity.
Amnesty International said the attacks have all the traits of an advanced spyware campaign “developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.”
One such spyware, Pegasus, developed by Israel-based NSO Group, has faced immense backlash following reports of misuse by governments.
Amnesty International informed Google Threat Analysis Group (TAG) about the campaign in question in December 2022. This information helped TAG shut down the malicious activity. Google and other vendors have since released updates to protect Android devices from the attack.
“While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians,” Google’s Threat Analysis Group said in a blog post on Wednesday.
Spyware Campaign Targeted Users in UAE, Indonesia, Belarus, Italy
Google TAG found that some Android users in the UAE received malicious links sent over SMS. If a target clicks the link, it automatically installs spyware on their device. Amnesty International’s Security Lab also observed similar activity against targets in the UAE, as well as in Indonesia, Belarus, and Italy. The human rights group said these countries likely make up only a small subset of the targets.
Countries in the Middle East have been targeted in spyware campaigns in the recent past, including the RatMilad campaign, which targeted business mobile devices.
After analyzing the spyware payload, TAG said the exploit chain exploited multiple zero-days and recently patched vulnerabilities. In fact, the spyware payload managed to breach an updated Samsung Android device. The payload exploited vulnerabilities in Chrome, including one zero-day, and a privilege escalation flaw in a Mali GPU Kernel Driver.
Samsung fixed the browser vulnerabilities at the end of December 2022 with version 19.0.6.
U.S. Takes Stern Stance Against Misuse of Spyware
This campaign highlights the threat of malicious commercial spyware, even after the recent public scrutiny of Pegasus. Earlier this week, U.S. President Joe Biden signed an executive order banning federal government departments and agencies from procuring and using spyware with a history of misuse.
The executive order closes the lucrative U.S. government market to vendors with a chequered past. It also sends a strong message to proprietors to clean up their act.
“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” said Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab.
“While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis. We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise, sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists,” he added.
We recommend you get the latest updates if you’re using an Android device. It’s important to know how to protect your device from mobile spyware. Check out our article on how to tell if your phone is being monitored for more information.
