Google has discovered that Barcelona has been one of the origins of a global hacker threat from the company Variston, based in the Catalan capital and in charge of providing spyware to a large group of hackers to attack people in the United Arab Emirates.
Google's Threat Analysis Group (TAG) announced the finding of these hackers targeting people in the United Arab Emirates using Samsung's native Android browser, which is a customized version of Chromium.
As early as November 2022, Google had revealed the existence of a then-unknown spyware provider called Variston, a Barcelona-based company that stands out for its occultism and refusal to want to talk about its questioned activities.
These hackers would have generated several chained vulnerabilities and sent via single-use web links from text messages. Of these four notices, two were from the same day of the attack, and had been communicated to Google at the time.
The way these hackers' cyberattacks worked was as follows: if a target clicked on the malicious web links, they were directed to a landing page "identical to the one TAG examined in the Heliconia framework developed by commercial spyware Variston”, so that the victim was then infected with “a complete spyware for Android” designed to capture data from chat and browser applications, according to Google.
Google's research team warns that the hacker "using the exploit chain to target users in the United Arab Emirates may be a Variston customer or partner, or may be working closely with the spyware vendor."
Despite the information collected, the tech giant still does not know who is behind the hacking campaign or who the victims are. A Google spokesperson told TechCrunch that TAG discovered about 10 such malicious web links, some of which redirected to StackOverflow.
The creators of Variston, the Barcelona-based company that appears to be the source of the spyware hackers have used, are Ralf Wegener and Ramanan Jayaraman, according to Intelligence Online, an online news publication that covers the surveillance industry. Both owned half of the company each in 2018, according to business records.
Amnesty International revealed the United Arab Emirates hacking campaign, saying it has been active since at least 2020 and targeted both mobile phones and computers, with exploits being delivered to a network of more than 1,000 malicious domains, “including domains that impersonate media websites in multiple countries.”
On the other hand, the humanitarian organization has also revealed that there are traces of the same campaign in Indonesia, Belarus, the United Arab Emirates and Italy, but these countries "probably represent only a small subset of the general attack campaign on the basis of the broad nature of the broader attack infrastructure.”
Beyond Android, these hackers have also taken advantage of a bug on the first day of release in iOS, according to Google. Thanks to this, they had managed to remotely place spyware on the devices of iPhone users with iOS 15.1 and earlier versions located in Italy, Malaysia and Kazakhstan.
The discovery of these new hacking campaigns is "a reminder that the commercial spyware industry continues to thrive," Google says. In addition, the technology giant warns that "these campaigns may also indicate that exploits and techniques are being shared among surveillance vendors, allowing the proliferation of dangerous hacking tools." The latter, emerged from Barcelona.
