As commercial spyware like Pegasus puts advanced surveillance capabilities in the hands of governments to spy on journalists, human rights activists, political opposition, and dissidents, Google has discovered a new commercial spyware that exploits vulnerabilities in Google Chrome, Mozilla Firefox, and Microsoft Defender.

The Google Threat Analysis Group (TAG) shared findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions.

“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device,” said the team.

Google, Microsoft, and Mozilla fixed the affected vulnerabilities in 2021 and early 2022.

“While we have not detected active exploitation, it appears likely these were utilized as zero-days in the wild,” said the TAG researchers.

TAG has created detections in Safe Browsing to warn users when they attempt to navigate to dangerous sites or download dangerous files.

“To ensure full protection against Heliconia and other exploits, it’s essential to keep Chrome and other software fully up-to-date,” they mentioned in a blog post.

Buy Me A Coffee

The TAG security team became aware of the Heliconia framework when Google received an anonymous submission to the Chrome bug reporting program.

“The exploitation frameworks, listed below, included mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox. Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0-days before they were fixed,” said the Google researchers.

Android's New Antitheft Feature Enters Testing Phase in Brazil

Earlier reports have shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise.

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

The Google teams earlier this year found strong evidence that enterprise-grade Android spyware called ‘Hermit’ is being used via SMS messages to target high-profile Android users.

‘Hermit’ is likely developed by Italian spyware vendor RCS Lab and Tykelab Srl, a telecommunications solutions company operating as a front company.

Italian spyware vendor RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group.

RCS Lab has engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar, and Turkmenistan.