A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house," TAG's Clement Lecigne said in a new report. "While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers, and opposition party politicians." The first of the two operations took place in November 2022 and involved sending shortened links over SMS messages to users located in Italy, Malaysia, and Kazakhstan. Upon clicking, the URLs redirected the recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites. The iOS exploit chain leveraged multiple bugs, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a pointer authentication code (PAC) bypass, to install an .IPA file onto the susceptible device. These two distinct campaigns show just how sophisticated commercial spyware has become. In order to take advantage of the patch gap, these vendors are constantly developing new exploits to target devices. As TAG's Clement Lecigne said, "these vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house." While the use of surveillance technologies may be legal, they are often used by governments to target dissidents, journalists, human rights workers, and opposition party politicians. These two operations are a prime example of that. In November 2022, users in Italy, Malaysia, and Kazakhstan were targeted with shortened links that redirected them to web pages hosting exploits. These users were then redirected to legitimate news or shipment-tracking websites. The iOS exploit chain that was leveraged in this operation used multiple bugs, including CVE-2022-42856 (a then zero-day), CVE-2021-30900, and a pointer authentication code (PAC) bypass, to install an .IPA file onto the susceptible device. This is just one example of how commercial spyware vendors are using zero-day vulnerabilities to their advantage.