Introduction: The internet is a vast and complex network of connected devices and services, and as such, it has become a prime target for malicious actors looking to exploit vulnerabilities and steal sensitive information. One of the most significant threats to the internet today is commercial spyware, which is software designed to collect and transmit sensitive information to unauthorized parties. In this article, we will discuss the recent findings of Google’s Threat Analysis Group (TAG) on an exploitation framework known as Heliconia and its possible ties to a company called Variston IT.
The market of commercial spyware
TAG has been tracking the activities of commercial spyware vendors for years, using their research to improve the safety and security of Google’s products and share intelligence with industry peers. The commercial surveillance industry is thriving and has expanded significantly in recent years, creating a risk for internet users around the globe. Commercial spyware puts advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.
The Heliconia framework
TAG recently discovered an exploitation framework known as Heliconia, which is believed to have ties to a company called Variston IT in Barcelona, Spain. The Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft, and Mozilla have all fixed the affected vulnerabilities in 2021 and early 2022. While TAG has not detected active exploitation, based on their research, it appears likely that these vulnerabilities were utilized as zero-days in the wild.
Google’s researcher became aware of the Heliconia framework when they received an anonymous submission to the Chrome bug reporting program. The submitter filed three bugs, each with instructions and an archive that contained source code. They used unique names in the bug reports, including “Heliconia Noise,” “Heliconia Soft,” and “Files.” TAG analyzed the submissions and found that they contained frameworks for deploying exploits in the wild and a script in the source code included clues pointing to the possible developer of the exploitation frameworks, Variston IT.
The exploitation frameworks, listed below, included mature source code capable of deploying exploits for Chrome, Windows Defender, and Firefox. Although the vulnerabilities are now patched, TAG assesses that it is likely the exploits were used as 0-days before they were fixed.
- Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
- Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit
- Files: a set of Firefox exploits for Linux and Windows.
TAG’s research has shown the proliferation of commercial surveillance and the extent to which commercial spyware vendors have developed capabilities that were previously only available to governments with deep pockets and technical expertise. The growth of the spyware industry puts users at risk and makes the internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.
The discovery of Heliconia is a reminder of the growing threat of commercial spyware. It is important for individuals, companies, and governments to be aware of this threat and take steps to protect against it. Keeping software and devices updated, being aware of phishing attempts, and suspicious emails and links are some ways to protect against commercial spyware. Google and TAG will continue to take action against and publish research about the commercial spyware industry to raise awareness and protect internet users.