Tech: Amnesty uncovers new spyware attacks targeting Google Android

In December, Amnesty alerted Google’s Threat Analysis Group to counter the attacks

Billions of users of Android, Chrome and Linux were protected from spyware threats

‘We urgently need a global moratorium on the sale, transfer and use of spyware’ - Donncha Ó Cearbhaill

A sophisticated hacking campaign by a mercenary spyware company targeting Google’s Android operating system has been exposed by Amnesty International’s Security Lab.

Amnesty’s Security Lab - which monitors and investigates companies and governments proliferating and abusing cyber-surveillance technologies - shared its technical findings with Google’s Threat Analysis Group which focuses on countering government-backed cyber-attacks. 

As a result, in December Google - along with other affected vendors, including Samsung - was able to release security updates protecting billions of Android, Chrome and Linux users from the exploitative techniques used in the attack.

Amnesty is not naming the company as it continues to track and investigate the company’s activity. However, the attack showed all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company which had been sold to government hackers to perform targeted spyware attacks. 

Amnesty believes the spyware campaign has been active since at least 2020 and has targeted mobile and desktop devices, including users of Google’s Android operating system. The spyware and “zero-day exploits” were delivered from an extensive network of more than 1,000 malicious domains, including domains spoofing media websites in multiple countries. Amnesty has published details of the domains and infrastructure it’s identified in connection with the attack to assist civil society in investigating and responding to them (see below for further details). 

Google’s Threat Analysis Group found that Android users in the United Arab Emirates were targeted with one-time attack links sent over SMS which, if clicked, would install the spyware on the target’s phone. Human rights defenders in the UAE have long been targeted by spyware tools from cyber-surveillance companies such as NSO Group and Hacking Team. Victims have included Ahmed Mansoor, who was targeted with spyware from both companies, and subsequently jailed by the Emirati authorities for his human rights work. 

Amnesty’s Security Lab identified additional activity related to the spyware in Indonesia, Belarus and Italy. These countries are likely to represent only a small subset of the overall spyware attacks based on the extensive nature of the wider attack infrastructure. On Monday, in a significant step to address the spyware crisis, US president Joe Biden signed an executive order restricting the US government’s use of commercial spyware technology posing a threat to human rights. 

Donncha Ó Cearbhaill, Head of Amnesty International’s Security Lab, said: 

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices. 

“While it is vital such vulnerabilities are fixed, this is merely a sticking plaster on a global spyware crisis. 

“We urgently need a global moratorium on the sale, transfer and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists.”

Technical details

Following Amnesty’s intervention, Google’s Threat Analysis Group was also able to obtain the full Android spyware payload delivered by this attack campaign. The process used multiple zero-day exploits - a particularly dangerous spyware invasion which enables attackers to compromise even fully-patched and updated phones as the vulnerability is unknown to the developer - and other recently patched vulnerabilities able to compromise a fully patched Samsung Android device. These vulnerabilities include a zero-day renderer exploit in Chrome, a sandbox escape in Chrome and a privilege escalation vulnerability in a Mali GPU Kernel Driver. The Mali GPU vulnerability had previously been patched by Arm, but the fix was not included in the latest Samsung firmware available in December. The exploit chain also exploited a zero-day in the Linux kernel to gain root privileges (CVE-2023-0266) on the phone. The final vulnerability would also have allowed attackers to invade Linux desktop and embedded systems.

Details of the domains and infrastructure identified by Amnesty are published on GitHub here, while Google’s Threat Analysis Group has published its findings here.

Major threat to human rights defenders

Amnesty continues to work with a growing network of civil society partners to detect and respond to the unique cyber-surveillance threats faced by human rights defenders. This ongoing support includes the sharing of indicators of compromise, forensic methodologies and the development of forensic tools such as the mobile verification toolkit which can be used by civil society to detect targeted spyware threats.  

Numerous abuses uncovered by Amnesty and civil society partners over recent years have shown that the spyware industry poses a major threat to human rights defenders and civil society around the world. The systemic harms of the growing and unregulated cyber-surveillance extend far beyond the now notorious Pegasus spyware developed by NSO Group. In the wake of the 2021 Pegasus Project - which revealed that NSO group spyware had been used to target journalists, human rights defenders and politicians around the world - there is an urgent need for an international moratorium on the development, use, transfer and sale of spyware technologies until a global legal framework is in place to prevent these abuses and protect human rights in the digital age.