Google Warns About New Commercial Spyware
Heliconia targets browsers and Windows Defender. The exploitation framework relies on vulnerabilities patched in recent months.
Google has discovered a new exploitation framework that can be used in a targeted way to inject spyware. The exploits, known as Heliconia, apparently originate from Spanish company Variston IT, according to Google Threat Analysis Group (TAG).
According to the analysis, Heliconia exclusively targets security vulnerabilities that have already been patched. They are in browsers such as Chrome and Firefox, as well as in Microsoft’s Defender security application. The vulnerabilities were eliminated in 2021 and at the beginning of this year. However, Google does not rule out the possibility that some of these exploits were also used as zero-days, i.e. before the respective patches were released.
“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were once only available to governments with deep pockets and technical expertise,” Google TAG’s Clement Lecigne and Benoit Sevens wrote in a blog post. “The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international law, it is often used in harmful ways for digital espionage against a range of groups.
“TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were once only available to governments with deep pockets and technical expertise,” Google TAG’s Clement Lecigne and Benoit Sevens wrote in a blog post. “The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international law, it is often used in harmful ways for digital espionage against a range of groups.”
The Heliconia framework also came to Google’s attention through an anonymous error message for its Chrome browser. It described three bugs: Heliconia Noise is a framework to inject an exploit for a renderer bug into Chrome, followed by a sandbox escape. Heliconia Soft is a web framework for a PDF file containing an exploit for Windows Defender. A bug report called Files, in turn, documents an exploit chain for Firefox for Windows and Linux.
To protect themselves from Heliconia and similar exploits, users should always promptly install all available patches. According to Google, Heliconia highlights the increase in commercial spyware offerings.
