Google’s Threat Analysis Group (TAG) reports that a Barcelona company sold spyware exploiting Chrome, Firefox, and Windows Defender vulnerabilities to conduct contract surveillance on target PCs. The vulnerabilities were zero-days in the wild when the company exploited them, but Google, Mozilla, and Microsoft patched them in 2021 and early 2022. Variston IT calls itself a custom security solution provider, but Google thinks it’s a commercial surveillance company. The report compares it to entities like RCS Labs and the NSO Group that sold tools letting governments spy on devices belonging to journalists, dissidents, and diplomats. Code from an anonymous bug report submission detailing the exploits pointed Google toward Variston. A web framework called Heliconia Noise exploited a Chrome renderer vulnerability in versions 90.0.4430.72 (April 2021) to 91.0.4472.106 (June 2021). It could perform remote code execution and escape the Chrome sandbox into a user’s operating system. Google fixed the exploit in August 2021.
Variston could attack Windows Defender – the default antivirus for Windows 10 and 11 – through a PDF file containing an exploit. The PDF would deploy when users visited an infected URL, triggering a Windows Defender scan and starting the infection chain. Microsoft patched the exploit in November 2021. Finally, Heliconia Files used a Windows and Linux Firefox exploit chain to commit remote code execution in Mozilla’s browser. The Windows version contained a sandbox escape that Mozilla patched in 2019. Other parts of the malicious package were reported in March 2022, but it might have been in use since December 2018. Although the exploits in TAG’s latest report no longer threaten fully-updated systems, concerned users should be aware of information that may have leaked late last year and early this year. The findings prove that the commercial surveillance industry is growing as platform holders fight such companies. Last November, Apple sued the NSO Group and its parent company for deploying spyware that was found on US diplomats’ iPhones. The Cupertino company also introduced a Lockdown Mode that deactivated specific iPhone features to fight spyware, but it could defeat the purpose by making the phones easier to fingerprint.