According to a report published on Wednesday by Google’s Threat Analysis Group (TAG), commercial spyware vendors leveraged a number of zero-day vulnerabilities that were patched last year to target both Android and iOS devices.

Google security engineer Clement Lecigne published a blog post on Wednesday detailing the findings of TAG’s investigation into two “limited and highly targeted” spyware campaigns.

The first campaign was discovered by TAG in November 2022, and it was found that the threat actors had used exploits to target both Android and iOS devices.

The campaign was aimed at specific individuals in Italy, Malaysia, and Kazakhstan and utilized Bitly, a link-shortening service, to deliver the exploits to the targets.

According to Computing UK, upon clicking the links, the visitors were redirected to pages that hosted exploits specifically tailored for either Android or iOS devices.

The targets were then redirected to legitimate websites, such as the shipment tracking page of the Italian logistics company BRT or a popular Malaysian news website.

Clément Lecigne added that despite ARM’s release of a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo, and others, did not integrate the patch. As a result, attackers were able to exploit the vulnerability freely for several months.

The second campaign, discovered in December 2022, focused on targeting the Samsung Internet Browser by exploiting various zero-day and n-day vulnerabilities.

Attackers sent links via SMS and aimed the attacks at users in the United Arab Emirates to deliver fully-featured Android spyware.

Google believes the attack was carried out by a customer or partner of Variston, a Spanish commercial spyware vendor whose exploitation frameworks were previously described by the tech giant.

The attackers exploited several Chrome vulnerabilities since the Samsung browser is based on Chromium, which makes it susceptible to the same vulnerabilities as Chrome.

However, the Samsung browser lacked some mitigations that could have made the exploitation more difficult.

According to SecurityWeek, TAG is monitoring over 30 commercial surveillance vendors who offer spyware programs or exploits to governments and nation-state threat groups.

While Google acknowledges that the use of spyware may be legal under national or international laws, such tools have a history of being used against targets such as government officials, journalists, political dissidents, and human rights activists.