Google Moves to Block Invasive Spanish Spyware Framework
Commercial Spyware The industry is increasingly criticized for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Across the European Union, details recently emerged on how spyware has been used to target activists, opposition leaders, lawyers and journalists in multiple countries. insult scandals and call for reform. Today, Google Threat Analytics Team announced act to block a hacking tool that targets the desktop and appears to be developed by a Spanish company.
The exploit framework, dubbed Heliconia, caught Google’s attention after a series of anonymous submissions to Chrome’s bug reporting program. The disclosures point to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. The submissions included source code from the Heliconia hacking framework and called the Heliconia Noise, Heliconia Soft, and Files vulnerabilities. Google says evidence points to Barcelona-based technology company Variston IT as the developer of the hacking framework.
“The findings indicate that we have many small players in the spyware industry, but there is a strong possibility associated with zero day,” TAG researchers told WIRED, referring to the unknown, unpatched vulnerability.
Variston IT did not respond to a request for comment from WIRED. Company director, Ralf Wegner, told TechCrunch that Variston did not have a chance to review the Google study and could not validate it. He added that he “would be surprised if such an item was found in the wild.” Google confirmed that the researchers did not contact Variston’s IT department prior to publication, which is also standard company practice in these types of investigations.
Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says they have not detected any current exploits. But evidence in the bug submissions indicates that the framework was likely used to exploit vulnerabilities starting in 2018 and 2019, long before they were patched. Heliconia Noise exploited the Chrome renderer vulnerability and escaped the sandbox, while Heliconia Soft used a malicious PDF file with the Windows Defender exploit, and Files deployed a Firefox exploit group for Windows and Linux. TAG collaborated on research with members of Google’s Project Zero bug research team and the Chrome V8 security team.
The fact that Google doesn’t see current proof of exploits could mean that the Heliconia framework is currently down, but it could also indicate that the hacking tool has evolved. TAG researchers told WIRED: “There may be other exploits, a new framework, their exploits not bypassing our system, or there are other existing layers to protect our exploits. they”.
Ultimately, the team says their goal with this type of research is to shed light on the methods, technical capabilities, and abuses of the commercial spyware industry. TAG created findings for Google’s Safe Browsing service to warn about Heliconia-related sites and files, and the researchers stress that it’s important to always keep the software up to date.
“The growth of the spyware industry puts users at risk and makes the internet less secure,” TAG wrote in a report. blog post about the findings. “And while surveillance technologies may be legal under national or international law, they are often used in harmful ways to carry out digital espionage against a wide range of groups.”