State hackers last year exploited three unknown vulnerabilities in Apple’s iPhone operating system to target victims with spyware developed by a European startup, according to Google.
On Tuesday, Google’s Threat Analysis Group, the company’s team that investigates nation-sponsored hacking, published a report analyzing various government campaigns carried out with hacking tools developed by several spyware and exploit vendors, including Barcelona-based startup Variston.
In one of the campaigns, according to Google, government hackers exploited three iPhone “zero days,” which are vulnerabilities that Apple didn’t know about at the time they were exploited. In this case, the hacking tools were developed by Variston, a surveillance and hacking technology startup whose malware has already been analyzed twice by Google (in 2022 and 2023).
Contact us
Do you have more information about Variston or Protect Electronic Systems? We would love to hear from you. From a non-working device, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
Google said it discovered the unknown Variston client using those zero days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target’s phone with spyware, then redirected the victim to a news article in the Indonesian newspaper Pikiran Rakyat. Google did not say who Variston’s government customer was in this case.
An Apple representative did not comment to TechCrunch when asked if the company is aware of this hacking campaign found by Google.
While Variston continues to garner attention from Google, the company has lost several employees over the past year, according to former staff who spoke to TechCrunch on condition of anonymity because they were under a non-disclosure agreement.
It is not yet known who Variston sold the spyware to. According to Google, Variston works “with several other organizations to develop and deliver spyware.”
Google says one of the organizations was Protected AE, which is based in the United Arab Emirates. Local business records identify the company as “Electronic Systems Protection” and say it was founded in 2016 and is based in Abu Dhabi. On its official websiteProtect accounts as “a leading cybersecurity and forensics company.”
According to Google, Protect “combines spyware it develops with Heliconia’s framework and infrastructure into a complete package that is then offered for sale either to a local broker or directly to a government customer,” referring to the software of Variston Heliconia, which Google previously reported in 2022.
Variston was founded in 2018 in Barcelona by Ralf Wegener and Ramanan Jayaraman and soon after acquired Italian zero-day research company Truel IT, according to Spanish and Italian business filings seen by TechCrunch.
Wegener and Jayaraman did not respond to an emailed request for comment. Protect representatives also did not respond.
While Israeli companies such as NSO Group, Candiru and Quadream have received a lot of attention in recent years, Google’s report shows that European spyware makers are expanding their reach and capabilities.
Google wrote in its report that its researchers are tracking about 40 spyware makers, who sell exploits and tracking software to government customers around the world. In the report Google mentions not only Variston, but also the Italian companies Cy4Gate, RCS Lab and Negg as examples of relatively new companies that have entered the market. Founded in 1993, RCS Lab was a partner of the now-defunct spyware maker Hacking Team, but did not develop spyware itself until recent years, focusing instead on selling products to conduct traditional wiretapping to telecom providers. level.
In its report, Google said it was committed to disrupting hacking campaigns conducted with these companies’ tools because they have been linked to targeted surveillance of journalists, dissidents and politicians.
“Commercial surveillance vendors (CSV) enable the proliferation of dangerous hacking tools,” Google wrote in its report. “Evil is not hypothetical. Spyware vendors tout the legitimate use of their tools in law enforcement and counterterrorism. However, spyware being deployed against journalists, human rights defenders, dissidents and opposition political parties — what Google refers to as ‘high-risk users’ — has been well documented.”
“While the number of users targeted by spyware is small compared to other types of cyber threat activity, the resulting effects are much broader,” the company wrote. “This type of targeted targeting threatens free speech, a free press and the integrity of elections worldwide.”
