Samsung Users in the UAE Targeted by Spyware

The Threat Analysis Group (TAG) of Google has published a report on commercial spyware vendors exploiting vulnerabilities against iOS and Android users. One of the campaigns being tracked has targeted Android users in the UAE, with traces also being found in Indonesia, Belarus, and Italy — though it's possible the spyware has infected devices outside these regions without being detected.

Google’s TAG highlighted a campaign that took advantage of a “complete exploit chain consisting of multiple 0-days and n-days [vulnerabilities] targeting the latest version of Samsung Internet Browser”. The exploits were delivered by one-time links sent via SMS, which sent users to a malicious landing page where they would be infected with a “fully-featured Android spyware suite.”

Google's Threat Analysis Group (TAG) has revealed that the spyware responsible for exploiting Android vulnerabilities against users in the UAE was developed by a commercial vendor called Variston, based in Spain. According to the report, the spyware contains libraries for decrypting and capturing data from various chat and browser applications. The report also suggests that the actors behind the exploit chain may be a customer or partner of Variston.

Amnesty International’s Security Lab was the organization to first uncover the campaign, the details of which were shared with Google TAG. Amnesty International stated that this meant “Google, along with other affected vendors, including Samsung, were able to release security updates protecting billions of Android, Chrome and Linux users from the exploit techniques used in this attack.” These updates have helped to mitigate the threat posed by the spyware campaign and protect users from further security and privacy risks.

Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab, said, "Unscrupulous spyware companies pose a real danger to the privacy and security of everyone.” While these vulnerabilities have been fixed, Cearbhaill said this acts as nothing more than “sticking plaster to a global spyware crisis.” Cearbhaill added that a “moratorium on the sale, transfer, and use of spyware” is urgently needed to safeguard activists and journalists from cyberattacks.

Last week, US President Joe Biden’s executive order barred all federal agencies from deploying third-party spyware “that poses risks to the national security and foreign policy interests of the United States.” According to the press release statement, the U.S. government has identified devices associated with 50 agents that have been targeted by commercial spyware.