CINXE.COM
Spyware vendors use 0-days and n-days against popular platforms
<!DOCTYPE html> <html class="no-js glue-flexbox keyword-blog" lang="en-us" data-locale="en-us"> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <title>Spyware vendors use 0-days and n-days against popular platforms</title> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=1.0, minimum-scale=1.0" /> <meta name="optimize_experiments" content="[]"> <!--Article Specific Metadata--> <meta name="description" content="Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse. For years, TAG has been tracking the activities of commercial spyware vendors to protect users. Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits."/> <meta name="keywords" content="None"/> <meta name="article-author" content="Clement Lecigne"/> <meta name="robots" content="max-image-preview:large"> <!--Open Graph Metadata--> <meta property="og:type" content="article" /> <meta property="og:title" content="Spyware vendors use 0-days and n-days against popular platforms"/> <meta property="og:description" content="Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse. For years, TAG has…" /> <meta property="og:image" content="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_cards_3-29.width-1300.jpg" /> <meta property="og:site_name" content="Google" /> <meta property="og:url" content="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" /> <meta property="article:publisher" content="https://www.facebook.com/Google/" /> <meta property="article:published_time" content="2023-03-29" /> <!--Twitter Card Metadata--> <meta name="twitter:card" content="summary_large_image" /> <meta name="twitter:url" content="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" /> <meta name="twitter:title" content="Spyware vendors use 0-days and n-days against popular platforms"/> <meta name="twitter:description" content="" /> <meta name="twitter:image:src" content="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_cards_3-29.width-1300.jpg" /> <meta name="twitter:site" content="@google" /> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "NewsArticle", "mainEntityOfPage": "https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/", "headline": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms", "datePublished": "2023-03-29T12:00:00+00:00", "dateModified": "2023-05-18T17:55:20.285959+00:00", "description": "", "author": { "@type": "Person", "name": "Clement Lecigne" }, "publisher": { "@type": "Organization", "name": "Google", "logo": { "@type": "ImageObject", "url": "https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/", "width": "200", "height": "200" } }, "image": { "@type": "ImageObject", "url": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_cards_3-29.width-1300.jpg", "width": "1440", "height": "810" }, "speakable": { "@type": "SpeakableSpecification" } } </script> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="stylesheet" type="text/css" href="/static/keyword/css/blog/index.min.css?version=pr20241113-1756" /> <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Google+Sans:400,500,600,700|Product+Sans:400&display=swap&lang=en"> <link href="https://fonts.googleapis.com/css2?family=Noto+Color+Emoji&display=swap" rel="stylesheet"> <link href="https://www.gstatic.com/glue/cookienotificationbar/cookienotificationbar.min.css" rel="stylesheet"> <link rel="stylesheet" type="text/css" href="/static/keyword/css/print/index.min.css?version=pr20241113-1756" media="print" /> <link rel="canonical" href="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/"/> <link href="/favicon.ico" rel="icon"> <link href="/static/blogv2/images/apple-touch-icon.png?version=pr20241113-1756" rel="apple-touch-icon"> <meta property="gtm-tag" content="GTM-TRV24V"> <!-- https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API --> <script> let trustedTypePolicy = { createHTML: (str) => str, createScript: (str) => str, createScriptURL: (url) => url }; if (window.trustedTypes && window.trustedTypes.createPolicy) { const safeScriptDomains = [ 'blob:', '/static/blogv2/', '/static/keyword/', '/static/youtube/', '/static/blog_youtube/', '//cdn.ampproject.org/', '//googleads.g.doubleclick.net', '//survey.g.doubleclick.net', '//www.google-analytics.com/', '//www.google.com', '//www.googletagmanager.com', '//www.gstatic.com', '//www.youtube.com', '//youtube.googleapis.com', ]; const safeScripts = [ 'google_tag_manager[""]', '(function anonymous(' ]; trustedTypePolicy = window.trustedTypes.createPolicy('default', { /* Enable create HTML */ createHTML: (str) => { return str }, /* Enable script creation */ createScript: (str) => { const safeScriptString = safeScripts.find( (safeScript) => str.includes(safeScript) ); if (!safeScriptString) { console.warn( `unsafe createScript: "${str}"` ); } return str; }, /* Allow for safe domains only */ createScriptURL: (url) => { const safeDomainsUrl = safeScriptDomains.find( (safeDomain) => url.includes(safeDomain) ); if (!safeDomainsUrl && !url.startsWith(window.location.origin)) { console.warn( `Unsafe createScriptURL: "${url}"` ); } return url; }, }); } window.trustedTypePolicy = trustedTypePolicy; </script> </head> <body class="template-articlepage keyword-blog"> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TRV24V" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div class="data-layer-init-data" data-analytics=' { "event": "dataLayer_initialized", "page_name": "Spyware vendors use 0-days and n-days against popular platforms", "experiments": "undefined", "locale": "en-us", "page_type": "blogv2 | article page", "primary_tag": "topics - threat analysis group", "secondary_tags": "undefined", "landing_page_tags": "undefined", "article_name": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms", "author_name": "Clement Lecigne", "publish_date": "2023-03-29|12:00", "hero_media": "none", "special_hero": "undefined", "days_since_published": "609", "content_category": "Topics - Threat Analysis Group", "word_count": "long 600+", "has_audio": "no", "has_video": "no" }'> </div> <div class="page-analytics-data" data-analytics=' { "event": "pageview", "slug": "spyware-vendors-use-0-days-and-n-days-against-popular-platforms", "contentType": "blogv2 | article page", "author": "clement lecigne", "primaryTag": "topics - threat analysis group", "secondaryTags": "", "publishDate": "2023-03-29|12:00", "tags": "", "goLiveDateTime": "2023-03-29|12:00", "wordCount": "long 600+", "contentCategory": "Announcement", "heroMedia": "none", }'> </div> <script type="text/javascript"> (function() { var dataLayerInitElement = document.querySelector('.data-layer-init-data'); var dataLayerObject = JSON.parse( dataLayerInitElement.getAttribute('data-analytics') ); // Change undefined strings to primitive value undefined. Object.entries(dataLayerObject).forEach(([key, value]) => { dataLayerObject[key] = value === 'undefined' ? undefined : value; }); if (!window['dataLayer']) { window['dataLayer'] = []; } window['dataLayer'].push(dataLayerObject); }()); </script> <script type="text/javascript"> (function() { var elem_ = document.querySelector('.page-analytics-data'); var scrubObject = { 'event': 'scrubbedUrl', 'url': getScrubbedUrl() }; var baseAnalyticsObject = JSON.parse( elem_.getAttribute('data-analytics').replace(/,(?=[^,]*$)/, '') ); function getScrubbedUrl() { const urlParams = location.href.split('?'); const hostPathUrl = urlParams[0]; if(urlParams.length === 1) return hostPathUrl; try { const searchParams = urlParams[1].split('&'); const utmParams = searchParams.filter(param => param.startsWith('utm') || param.startsWith('query')).join('&'); if(!utmParams.length) return hostPathUrl; return `${hostPathUrl}?${utmParams}`; } catch(error) { console.error('scrubbed Url error =>', e); } return hostPathUrl; } function handlePublishDate(dataObj) { var publishDate = dataObj['publishDate']; if (typeof publishDate !== 'undefined') { var oneDay = 24*60*60*1000; var dateParts = publishDate.split('|'); var pubDay = new Date(dateParts[0]); var today = new Date(); var daysSince = Math.round((today - pubDay) / oneDay); dataObj['daysSincePublished'] = daysSince.toString(); } pushData(dataObj); } function pushData(analyticsEvent) { if (!window['dataLayer']) { window['dataLayer'] = []; } window['dataLayer'].push(analyticsEvent); const globalKWDimenssions = Object.assign({}, analyticsEvent); if(globalKWDimenssions['event']) { delete globalKWDimenssions['event']; } window['globalKWCustomDimensions'] = globalKWDimenssions; } pushData(scrubObject); handlePublishDate(baseAnalyticsObject); }()); </script> <div class="surveys"> <uni-feedback-survey-controller> <div id="feedback-surveys-json" style="display: none;" data-static-icons='{ "close": "/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-close" }' > [{"model": "blogsurvey.survey", "pk": 5, "fields": {"name": "Sentiment Change - All Articles - Nov 2024", "survey_id": "sentiment-change-all-articles-nov-2024_241031", "scroll_depth_trigger": 75, "previous_survey": null, "display_rate": 50, "thank_message": "Thank you!", "thank_emoji": "✅", "questions": "[{\"id\": \"c32a4772-5575-4985-814a-afd8d15d5d6d\", \"type\": \"simple_question\", \"value\": {\"question\": \"After reading this article, how has your perception of Google changed?\", \"responses\": [{\"id\": \"cb111cda-60ba-4ac5-8260-17c5326e485b\", \"type\": \"item\", \"value\": \"Gotten better\"}, {\"id\": \"d8864abb-689a-4b52-b021-449af0b0a7c6\", \"type\": \"item\", \"value\": \"Gotten worse\"}, {\"id\": \"f169d98d-1731-4efc-be90-3cd379a2a63e\", \"type\": \"item\", \"value\": \"Stayed the same\"}, {\"id\": \"701d8c63-affe-4f44-85f0-71538a310d65\", \"type\": \"item\", \"value\": \"Don't know\"}]}}]", "target_article_pages": true}}] </div> </uni-feedback-survey-controller> </div> <div class="uni-header-content-pusher"></div> <header class="uni-header h-u-box-shadow-2" data-component="uni-header"> <div class="uni-header__hamburguer-wrapper uni-header__hamburguer-wrapper--hide"> <button class="uni-header__hamburguer-button"> <svg class="h-c-header__hamburger-img h-c-header__hamburger-img--standard events-off" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#h-burger"></use> </svg> </button> </div> <div class="uni-header__sitespace" site="Threat Analysis Group"> <figure class="uni-header__logo-google uni-header__logo-google--sitespace" title="Google" tabindex="-1"> <svg aria-label="Google" role="img" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#h-color-google-logo"></use> </svg> </figure> <div class="uni-header__site-title"> <a class="uni-header__sitespace-text " href="https://blog.google/threat-analysis-group" target= "_self" data-analytics="{ "category": "navigation", "action": "header", "label": "navlink: home" }"> Updates from Threat Analysis Group (TAG) </a> </div> </div> <div class="uni-article-progress-bar slide-up" data-component="uni-progress-bar" aria-valuemin="0" aria-valuemax="100" aria-valuenow="0" aria-hidden="true" tab-index="-1" role="progressbar"> <div class="uni-article-progress-bar__title uni-article-progress-bar__ellipsis"> Spyware vendors use 0-days and n-days against popular platforms </div> <div class="uni-article-progress-bar__social" aria-hidden="true" data-analytics-module='{ "module_name": "Progress Bar", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }' > <div class ="uni-social-share " data-component="uni-social-share-dropdown" > <a aria-label="Share" class="uni-social-share__trigger" role="button" tabindex="0" aria-expanded="false" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "menu", "label": "label" }'> <svg aria-hidden="true" class="h-c-icon h-c-icon--color-text" title="Share" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-share"></use> </svg> <div class="uni-social-share__button">Share</div> </a> <div class="uni-social-share__dialog uni-social-share__content " aria-labelledby="social-share-icon"> <a aria-label="Share on Twitter" class="article-share__link-text uni-click-tracker" href="https://twitter.com/intent/tweet?text=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%20%40google&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "share - progress bar", "label": "twitter" }' data-ga4-method="twitter"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-twitter"></use> </svg> <div class="article-share__title">Twitter</div> </a> <a aria-label="Share on Facebook" class="article-share__link-text uni-click-tracker" href="https://www.facebook.com/sharer/sharer.php?caption=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&u=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "share - progress bar", "label": "facebook" }' data-ga4-method="facebook"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-facebook"></use> </svg> <div class="article-share__title">Facebook</div> </a> <a aria-label="Share on LinkedIn" class="article-share__link-text uni-click-tracker" href="https://www.linkedin.com/shareArticle?mini=true&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/&title=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms" target="_blank" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "share - progress bar", "label": "linkedin" }' data-ga4-method="linkedin"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-linkedin"></use> </svg> <div class="article-share__title">LinkedIn</div> </a> <a aria-label="Share with Email" class="article-share__link-text uni-click-tracker article-share__email" href="mailto:?subject=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&body=Check out this article on the Keyword:%0A%0ASpyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%0A%0Ahttps://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "share - progress bar", "label": "email" }' data-ga4-method="email"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-mail"></use> </svg> <div class="article-share__title">Mail</div> </a> <div class="copy-link uni-copy-share uni-click-tracker" data-component="uni-copy-popup-component" data-analytics='{ "event": "page interaction", "category": "progress bar", "action": "share - progress bar", "label": "copy" }' data-ga4-analytics-share-copy-link data-ga4-method="Copy link"> <button class="copy-link__trigger copy-link__trigger-text" data-ga4-method="Copy link" title="Copy link"> <svg class="h-c-icon h-c-icon--color-text" role="presentation" title="Copy link" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-link"></use> </svg> <div class="copy-link__title">Copy link</div> </button> <div class="copy-link__dialog copy-link__content" uni-options='{"copyTextButton": "COPIED TO CLIPBOARD"}' aria-hidden="true" tabindex="-1"> <input class="h-c-copy copy-link__url" value="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" id="copy-link" readonly="readonly" type="text"/> <div class="copy-link__copy-message" role="status"></div> </div> </div> </div> </div> </div> <div class="uni-article-progress-bar__indicator hide-progress-bar"></div> </div> <script type="application/json" data-catalog-id="search-bar"> { "find_an_article": "Find an article...", "rss_link": "/rss/", "rss_feed": "RSS feed", "press_corner": "Press corner", "press_corner_slug": "press/", "secondary_menu": "Secondary menu", "search": "Search", "submit": "Submit", "close": "Close", "execute_search": "Execute search", "dismiss_search": "Dismiss search", "suggested_results_for": "[[number]] suggested results for [[query_term]]", "by_string": "By", "conjunction_symbol": "\u0026" } </script> <uni-search-bar class="uni-search-bar" site-id="2" data-static-icons='{ "clear": "/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-clear", "more_vert": "/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-more-vert", "rss_feed": "/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-rss-feed", "search": "/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-search" }' > </uni-search-bar> </header> <div class="loader-mask"> <div class="loader-mask__loader"></div> </div> <main id="jump-content" class="site-content" tabindex="-1"> <article class="uni-article-wrapper"> <section class="article-hero"> <div class="article-hero__container"> <div class="article-hero__primary-tag__col" data-analytics-module='{ "module_name": "Article Hero", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <a class="h-u-mb-std article-hero__primary-tag article-hero__primary-tag--link data-analytics-onclick" href="https://blog.google/threat-analysis-group/" data-analytics='{ "category" : "landing page lead", "action" : "eyebrow topic link", "label" : "product Threat Analysis Group" }' data-ga4-analytics-eyebrow-click='{ "link_text": "Threat Analysis Group", "link_url": "https://blog.google/threat-analysis-group/", "link_type": "internal" }' data-ga4-analytics-landing-lead='{ "event": "landing_page_lead", "link_text": "Threat Analysis Group" }' > <p class="h-c-eyebrow article-hero__primary-tag--link__text">Threat Analysis Group</p> </a> </div> <h1 class="article-hero__h1">Spyware vendors use 0-days and n-days against popular platforms</h1> </div> </section> <div class="article-meta__author-container" data-analytics-module='{ "module_name": "Hero Menu", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="article-meta__author-wrapper"> <div class="article-meta__abstract"> <div class="article-meta__abstract-aside article-meta__abstract-aside--no-abstract"> <div class="article-meta__published-wrapper"> <p class="article-meta__published-at uni-body--small">Mar 29, 2023</p> <span aria-hidden="true" class="article-meta__separator">·</span> <p class="article-meta__read-time uni-body--small" data-reading-time-render>[[read-time]] min read</p> </div> <div class ="uni-social-share uni-social-share--mobile" data-component="uni-social-share-dropdown" > <a aria-label="Share" class="uni-social-share__trigger" role="button" tabindex="0" aria-expanded="false" data-analytics='{ "event": "page interaction", "category": "social", "action": "menu", "label": "label" }'> <svg aria-hidden="true" class="h-c-icon h-c-icon--color-text" title="Share" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-share"></use> </svg> <div class="uni-social-share__button">Share</div> </a> <div class="uni-social-share__dialog uni-social-share__content " aria-labelledby="social-share-icon"> <a aria-label="Share on Twitter" class="article-share__link-text uni-click-tracker" href="https://twitter.com/intent/tweet?text=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%20%40google&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "twitter" }' data-ga4-method="twitter"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-twitter"></use> </svg> <div class="article-share__title">Twitter</div> </a> <a aria-label="Share on Facebook" class="article-share__link-text uni-click-tracker" href="https://www.facebook.com/sharer/sharer.php?caption=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&u=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "facebook" }' data-ga4-method="facebook"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-facebook"></use> </svg> <div class="article-share__title">Facebook</div> </a> <a aria-label="Share on LinkedIn" class="article-share__link-text uni-click-tracker" href="https://www.linkedin.com/shareArticle?mini=true&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/&title=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "linkedin" }' data-ga4-method="linkedin"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-linkedin"></use> </svg> <div class="article-share__title">LinkedIn</div> </a> <a aria-label="Share with Email" class="article-share__link-text uni-click-tracker article-share__email" href="mailto:?subject=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&body=Check out this article on the Keyword:%0A%0ASpyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%0A%0Ahttps://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "email" }' data-ga4-method="email"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-mail"></use> </svg> <div class="article-share__title">Mail</div> </a> <div class="copy-link uni-copy-share uni-click-tracker" data-component="uni-copy-popup-component" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "copy" }' data-ga4-analytics-share-copy-link data-ga4-method="Copy link"> <button class="copy-link__trigger copy-link__trigger-text" data-ga4-method="Copy link" title="Copy link"> <svg class="h-c-icon h-c-icon--color-text" role="presentation" title="Copy link" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-link"></use> </svg> <div class="copy-link__title">Copy link</div> </button> <div class="copy-link__dialog copy-link__content" uni-options='{"copyTextButton": "COPIED TO CLIPBOARD"}' aria-hidden="true" tabindex="-1"> <input class="h-c-copy copy-link__url" value="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" id="copy-link" readonly="readonly" type="text"/> <div class="copy-link__copy-message" role="status"></div> </div> </div> </div> </div> </div> </div> </div> <div class="article-meta__container"> <div class="article-meta__content"> <div class="article-meta__author"> <div class="article-meta__author-noimage" data-component="uni-monogram" data-author="Clement Lecigne"> </div> <div class="article-meta__author-info"> <div class="article-meta__author-name">Clement Lecigne</div> <div class="article-meta__author-title"> Threat Analysis Group </div> </div> </div> </div> <div class="article-share__wrapper" data-analytics-module='{ "module_name": "Hero Share", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class ="uni-social-share uni-social-share--desktop" data-component="uni-social-share-dropdown" > <a aria-label="Share" class="uni-social-share__trigger" role="button" tabindex="0" aria-expanded="false" data-analytics='{ "event": "page interaction", "category": "social", "action": "menu", "label": "label" }'> <svg aria-hidden="true" class="h-c-icon h-c-icon--color-text" title="Share" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-share"></use> </svg> <div class="uni-social-share__button">Share</div> </a> <div class="uni-social-share__dialog uni-social-share__content " aria-labelledby="social-share-icon"> <a aria-label="Share on Twitter" class="article-share__link-text uni-click-tracker" href="https://twitter.com/intent/tweet?text=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%20%40google&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "twitter" }' data-ga4-method="twitter"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-twitter"></use> </svg> <div class="article-share__title">Twitter</div> </a> <a aria-label="Share on Facebook" class="article-share__link-text uni-click-tracker" href="https://www.facebook.com/sharer/sharer.php?caption=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&u=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "facebook" }' data-ga4-method="facebook"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-facebook"></use> </svg> <div class="article-share__title">Facebook</div> </a> <a aria-label="Share on LinkedIn" class="article-share__link-text uni-click-tracker" href="https://www.linkedin.com/shareArticle?mini=true&url=https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/&title=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "linkedin" }' data-ga4-method="linkedin"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-linkedin"></use> </svg> <div class="article-share__title">LinkedIn</div> </a> <a aria-label="Share with Email" class="article-share__link-text uni-click-tracker article-share__email" href="mailto:?subject=Spyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms&body=Check out this article on the Keyword:%0A%0ASpyware%20vendors%20use%200-days%20and%20n-days%20against%20popular%20platforms%0A%0Ahttps://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" target="_blank" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "email" }' data-ga4-method="email"> <svg aria-hidden="true" class="h-c-icon h-c-icon--social h-c-icon--30px" viewBox="0 0 30 30" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-mail"></use> </svg> <div class="article-share__title">Mail</div> </a> <div class="copy-link uni-copy-share uni-click-tracker" data-component="uni-copy-popup-component" data-analytics='{ "event": "page interaction", "category": "social", "action": "share", "label": "copy" }' data-ga4-analytics-share-copy-link data-ga4-method="Copy link"> <button class="copy-link__trigger copy-link__trigger-text" data-ga4-method="Copy link" title="Copy link"> <svg class="h-c-icon h-c-icon--color-text" role="presentation" title="Copy link" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#social-link"></use> </svg> <div class="copy-link__title">Copy link</div> </button> <div class="copy-link__dialog copy-link__content" uni-options='{"copyTextButton": "COPIED TO CLIPBOARD"}' aria-hidden="true" tabindex="-1"> <input class="h-c-copy copy-link__url" value="https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/" id="copy-link" readonly="readonly" type="text"/> <div class="copy-link__copy-message" role="status"></div> </div> </div> </div> </div> </div> </div> </div> <div class="h-c-page uni-blog-article-no-hero"> <div class="h-c-grid"> <div class="h-c-grid__col h-c-grid__col--10 h-c-grid__col--offset-1"> <hr class="uni-blog-article-no-hero__line"> <hr class="uni-blog-article-no-hero__line"> </div> </div> </div> <section class="uni-container article-container"> <div class="uni-wrapper article-container__wrapper"> <div class="uni-content uni-blog-article-container article-container__content " data-reading-time="true" data-component="uni-article-body"> <google-read-aloud-player data-analytics-module='{ "event": "module_impression", "module_name": "ai_audio", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }' data-date-modified="2023-05-18T17:55:20.285959+00:00" data-progress-bar-style="half-wave" data-api-key="AIzaSyBLT6VkYe-x7sWLZI2Ep26-fNkBKgND-Ac" data-article-style="style9" data-tracking-ids="G-HGNBTNCHCQ,G-6NKTLKV14N" data-voice-list="en.ioh-pngnat:Cyan,en.usb-pngnat:Lime" data-layout-style="style1" data-highlight-mode="word-over-paragraph" data-highlight-text-color="#000000" data-highlight-word-background="#8AB4F8" data-highlight-paragraph-background="#D2E3FC" data-background="linear-gradient(180deg, #F1F3F4 0%, #F8F9FA 100%)" data-foreground-color="#202124" data-font="600 16px Google Sans, sans-serif" data-box-shadow="0px 1px 3px 1px rgba(60, 64, 67, 0.15)" style=min-height:55px;display:block;max-width:726px;margin-left:auto;margin-right:auto;margin-bottom:36px; > </google-read-aloud-player> <script async src="https://www.gstatic.com/readaloud/player/web/api/js/api.js"></script> <!--article text--> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">Google’s Threat Analysis Group (TAG) tracks actors involved in information operations (IO), government backed attacks and financially motivated abuse. For years, TAG has been <a href="https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/">tracking the activities</a> of commercial spyware vendors to protect users. Today, we actively track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government backed actors. These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments to target dissidents, journalists, human rights workers and opposition party politicians.</p><p data-block-key="50m50">In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.</p></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><h3 data-block-key="bhk5e">Campaign #1 - Your missed parcel included 0-days (CVE-2022-42856; CVE-2022-4135)</h3></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">In November 2022, TAG discovered exploit chains with 0-days affecting Android and iOS that were delivered via bit.ly links sent over SMS to users located in Italy, Malaysia and Kazakhstan. When clicked, the links redirected visitors to pages hosting exploits for either Android or iOS then redirected them to legitimate websites such as the page to track shipments for Italian-based shipment and logistics company BRT or a popular Malaysian news website.</p></div> </div> </div> <div class="article-image" data-analytics-module='{ "module_name": "Inline Images", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="article-image__is-caption "> <img alt="Image of a screenshot from one of the malicious websites" src=" https://storage.googleapis.com/gweb-uniblog-publish-prod/images/AwHaueEugCtSxrk.width-100.format-webp.webp " class="article-image--large" loading="lazy" data-loading='{ "mobile": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/AwHaueEugCtSxrk.width-500.format-webp.webp", "desktop": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/AwHaueEugCtSxrk.width-1000.format-webp.webp" }' > </div> <figcaption class="article-image__caption article-image__is-caption-image "><div class="rich-text"><p data-block-key="0g20w">An example screenshot from one of the malicious websites</p></div></figcaption> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e"><b>iOS Exploit Chain</b></p><p data-block-key="631ti">The iOS exploit chain targeted versions prior to 15.1 and contained the following exploits, including one 0-day:</p><ul><li data-block-key="998om"><a href="https://support.apple.com/en-gb/HT213597">CVE-2022-42856</a>, a WebKit remote code execution exploiting a type confusion issue within the JIT compiler (0-day at time of exploitation).</li><li data-block-key="dlkp1">The exploit used a PAC bypass technique which was <a href="https://bugs.webkit.org/show_bug.cgi?id=237867">fixed</a> in March 2022 when Apple removed DYLD_INTERPOSE from WebKit. The exact same technique was used in Cytrox exploits as described by Citizenlab in their <a href="https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/">blog</a> about Predator. The “make_bogus_transform” function is part of the PAC bypass and is present in both exploits.</li></ul></div> </div> </div> <div class="article-image" data-analytics-module='{ "module_name": "Inline Images", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="article-image__is-caption "> <img alt="Extract from CitizenLab report mentioning the “make_bogus_transform” function" src=" https://storage.googleapis.com/gweb-uniblog-publish-prod/images/8voTt9Y9qSfGMGk.width-100.format-webp.webp " class="article-image--full" loading="lazy" data-loading='{ "mobile": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/8voTt9Y9qSfGMGk.width-500.format-webp.webp", "desktop": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/8voTt9Y9qSfGMGk.width-1000.format-webp.webp" }' > </div> <figcaption class="article-image__caption article-image__is-caption-image "><div class="rich-text"><p data-block-key="n9azr">Extract from CitizenLab report mentioning the “make_bogus_transform” function</p></div></figcaption> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><ul><li data-block-key="3py4i"><a href="https://support.apple.com/en-us/HT212872">CVE-2021-30900</a>, a sandbox escape and privilege escalation bug in AGXAccelerator, fixed by Apple in 15.1. The bug was previously described in an <a href="https://github.com/singi/oob_timestamp">exploit</a> for oob_timestamp published on Github in 2020.</li></ul></div> </div> </div> <div class="article-image" data-analytics-module='{ "module_name": "Inline Images", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="article-image__is-caption "> <img alt="screenshot of code" src=" https://storage.googleapis.com/gweb-uniblog-publish-prod/images/849UNtSAjA7atQ7.width-100.format-webp.webp " class="article-image--full" loading="lazy" data-loading='{ "mobile": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/849UNtSAjA7atQ7.width-500.format-webp.webp", "desktop": "https://storage.googleapis.com/gweb-uniblog-publish-prod/images/849UNtSAjA7atQ7.width-1000.format-webp.webp" }' > </div> <figcaption class="article-image__caption article-image__is-caption-image "><div class="rich-text"><p data-block-key="0g20w">Description of CVE-2021-30900 on an exploit for oob_timestamp (CVE-2020-3837)</p></div></figcaption> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">The final payload was a simple stager that pings back the GPS location of the device and gives the attacker the ability to install an .IPA file (iOS application archive) onto the affected device.</p></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e"><b>Android Exploit Chain</b></p><p data-block-key="brq8d">The Android exploit chain targeted users on phones with an ARM GPU running Chrome versions prior to 106. It consisted of three exploits, including one 0-day:</p><ul><li data-block-key="8gr0"><a href="https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html">CVE-2022-3723</a>, a type confusion vulnerability in Chrome, <a href="https://press.avast.com/en-us/avast-threat-report-consumers-plagued-with-refund-fraud-tech-support-scams-and-adware">found</a> by Avast in the wild and <a href="https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html">fixed</a> in October 2022 in version 107.0.5304.87.</li><li data-block-key="1c9kf"><a href="https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html">CVE-2022-4135</a>, a Chrome GPU sandbox bypass only affecting Android (0-day at time of exploitation), fixed in November 2022. Sergei Glazunov from Project Zero helped analyze the exploit and <a href="https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-4135.html">wrote</a> a root cause analysis for this bug.</li><li data-block-key="nt6u"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-38181">CVE-2022-38181</a>, a privilege escalation bug <a href="https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities">fixed</a> by ARM in August 2022. It is unclear if attackers had an exploit for this vulnerability before it was reported to ARM.</li></ul><p data-block-key="4uum6">It’s worth noting users were redirected to Chrome using Intent Redirection if they were coming from a Samsung Internet Browser. In the past, we have seen attackers redirect users from Chrome to Samsung Internet Browser, similar to <a href="https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html">CVE-2022-2856</a>, but in this case the redirection occurred the other way. We were unable to obtain the final payload for this exploit chain.</p><p data-block-key="8sdjj">When ARM released a fix for CVE-2022-38181, patches were not immediately incorporated by vendors, resulting in the bugs exploitation. This was recently highlighted by blog posts from <a href="https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html">Project Zero</a> and <a href="https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/">Github Security Lab</a>.</p><p data-block-key="b40n6">Note, Pixel devices with the 2023-01-05 security update are protected against both exploit chains in this blog. Chrome users updated to at least version 108.0.5359 are also protected.</p><p data-block-key="5fe9s"><b>Related IOCs</b></p><ul><li data-block-key="61vl">https://cdn.cutlink[.]site/p/uu6ekt - landing page</li><li data-block-key="472j6">https://api.cutlink[.]site/api/s/N0NBL8/ - Android exploit chain</li><li data-block-key="747sa">https://api.cutlink[.]site/api/s/3PU970/ - iOS exploit chain</li><li data-block-key="257qu">https://imjustarandomsite.3utilities[.]com - exploit delivery server</li></ul></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><h3 data-block-key="bhk5e">Campaign #2 - Complete exploit chain against Samsung Internet Browser (CVE-2022-4262; CVE-2023-0266)</h3></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">In December 2022, TAG discovered a complete exploit chain consisting of multiple 0-days and n-days targeting the latest version of Samsung Internet Browser. The exploits were delivered in one-time links sent via SMS to devices located in the United Arab Emirates (UAE).</p><p data-block-key="bvnku">The link directed users to a landing page identical to the one TAG examined in the <a href="https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/">Heliconia framework</a> developed by commercial spyware vendor Variston. The exploit chain ultimately delivered a fully featured Android spyware suite written in C++ that includes libraries for decrypting and capturing data from various chat and browser applications. The actor using the exploit chain to target UAE users may be a customer or partner of Variston, or otherwise working closely with the spyware vendor.</p><p data-block-key="1orvt">The exploit chain TAG recovered was delivered to the latest version of Samsung’s Browser, which runs on Chromium 102 and does not include recent mitigations. If they had been in place, the attackers would have needed additional vulnerabilities to bypass the mitigations. The exploit chain consisted of multiple 0-days and n-days:</p><ul><li data-block-key="4fqlp"><a href="https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html">CVE-2022-4262</a>, a type confusion vulnerability in Chrome fixed in December 2022 (0-day at time of exploitation) - similar to <a href="https://github.blog/2022-06-29-the-chromium-super-inline-cache-type-confusion/">CVE-2022-1134</a>.</li><li data-block-key="fe2fp"><a href="https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html">CVE-2022-3038</a>, a sandbox escape in Chrome fixed in August 2022, in version 105 and <a href="https://bugs.chromium.org/p/chromium/issues/detail?id=1340253">found</a> by Sergei Glazunov in June 2022.</li><li data-block-key="7ulab"><a href="https://nvd.nist.gov/vuln/detail/CVE-2022-22706">CVE-2022-22706</a>, a vulnerability in Mali GPU Kernel Driver <a href="https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities">fixed</a> by ARM in January 2022 and marked as being used in the wild. At the time of delivery, the latest Samsung firmware had not included a fix for this vulnerability. This vulnerability grants the attacker system access.</li><li data-block-key="49j71"><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-0266">CVE-2023-0266</a>, a race condition vulnerability in the Linux kernel sound subsystem reachable from the system user and that gives the attacker kernel read and write access (0-day at time of exploitation).</li></ul><p data-block-key="aqqcp">The exploit chain also took advantage of multiple kernel information leak 0-days when exploiting CVE-2022-22706 and CVE-2023-0266. Google reported these vulnerabilities to ARM and Samsung which have now been fixed as CVE-2023-26083 (ARM) and CVE-2023-21492 (Samsung).</p><p data-block-key="eqrpn">Note, Samsung fixed CVE-2022-4262 and CVE-2022-3038 in Samsung’s Browser after version 19.0.6 released at the end of December 2022.</p><p data-block-key="34b4l"><b>Related IOCs</b></p><ul><li data-block-key="d6l42">www.sufficeconfigure[.]com - landing page and exploit delivery</li><li data-block-key="9lg7t">www.anglesyen[.]org - malware C2</li><li data-block-key="7ndre">The following Android system properties might indicate signs of exploitation<ul><li data-block-key="67t7p">sys.brand.note</li><li data-block-key="cuutt">sys.brand.notes</li><li data-block-key="aou5e">sys.brand.doc</li></ul></li><li data-block-key="3fsbc">The following directory on the phone might indicate signs of infection<ul><li data-block-key="ft4o8">/data/local/tmp/dropbox</li></ul></li></ul></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><h3 data-block-key="bhk5e">Protecting our users</h3></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">To protect our users, Google has reported these vulnerabilities to the vendors. We would be remiss if we did not acknowledge the quick response and patching of these vulnerabilities by Google’s Chrome, Pixel and Android teams, as well as by Apple. We would also like to acknowledge and thank the Amnesty Security Lab for their help uncovering the second campaign detailed in this blog.</p><p data-block-key="bb97a">These campaigns continue to underscore the importance of patching, as users wouldn’t be impacted by these exploit chains if they were running a fully updated device. Intermediate mitigations like PAC, <a href="https://docs.google.com/document/d/1FM4fQmIhEqPG8uGp5o9A-mnPB5BOeScZYpkHjo0KKA8/edit#">V8 sandbox</a> and <a href="https://docs.google.com/document/d/1pnnOAIz_DMWDI4oIOFoMAqLnf_MZ2GsrJNb_dbQ3ZBg/edit">MiraclePTR</a> have a real impact on exploit developers, as they would have needed additional bugs to bypass these mitigations.</p></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><h3 data-block-key="bhk5e">Conclusion</h3></div> </div> </div> <div class="module--text module--text__article" data-analytics-module='{ "module_name": "Paragraph", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-paragraph article-paragraph" data-component="uni-article-paragraph"> <div class="rich-text"><p data-block-key="bhk5e">These campaigns are a reminder that the commercial spyware industry continues to thrive. Even smaller surveillance vendors have access to 0-days, and vendors stockpiling and using 0-day vulnerabilities in secret pose a severe risk to the Internet. These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools. We remain committed to updating the community, and taking steps to protect users, as we uncover these campaigns.</p></div> </div> </div> <div class="uni-blog-article-tags article-tags" data-analytics-module='{ "module_name": "Article Tags", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <div class="uni-blog-article-tags__wrapper"> <span class="uni-blog-article-tags__label uni-eyebrow">POSTED IN:</span> </div> <nav class="uni-blog-article-tags__container uni-click-tracker" data-analytics='{ "category": "landing page lead", "action": "article tag" }' > <ul class="uni-blog-article-tags__tags-list"> <li> <a class="uni-blog-article-tags-value uni-body--small uni-link-active" href=" https://blog.google/threat-analysis-group/ " data-ga4-analytics-landing-lead='{ "event": "landing_page_lead", "link_text": "Threat Analysis Group" }' data-analytics='{"label": "topics: Threat Analysis Group"}' > Threat Analysis Group </a> </li> </ul> </nav> </div> </div> </div> </section> </article> <div class="uni-related-articles-cards ga4-carousel" data-analytics-module='{ "module_name": "Article Footer Related Stories", "section_header": "Related stories" }' > <div class="uni-related-articles-cards-container" data-component="uni-related-articles"> <div class="uni-related-articles-grid-title"> <div class="uni-related-articles-grid-wrapper"> <h3 class="uni-related-articles-cards__title"> <div class="uni-related-articles-cards__title-content "> Related stories </div> </h3> </div> </div> <div class="uni-related-articles-cards__track"> <ul aria-role="menu" aria-label="Related articles" class="uni-related-articles-cards__wrap "> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--abstract "> <a href="https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/" class="uni-related-articles-cards__link" data-index="1" data-target="card" data-primaryTag = "topics - threat analysis group" data-image="false" data-ga4-analytics-footer-lead-click='{ "link_text": "TAG Bulletin: Q3 2024", "link_url": "https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/", "source_content": "Related stories", "related_index": "1", "related_article_tag": "topics - threat analysis group", "article_name": "TAG Bulletin: Q3 2024", "author_name": "Billy Leonard" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Threat Analysis Group</span> <h4 class="uni-related-articles-cards__headline" data-target="title">TAG Bulletin: Q3 2024</h4> <p class="uni-related-articles-cards__abstract" data-target="abstract">This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 31, 2024.JulyWe terminated 89 You…</p> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Billy Leonard </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Sep 12, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--img "> <a href="https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" class="uni-related-articles-cards__link" data-index="2" data-target="card" data-primaryTag = "topics - threat analysis group" data-image="true" data-ga4-analytics-footer-lead-click='{ "link_text": "State\u002Dbacked attackers and commercial surveillance vendors repeatedly use the same exploits", "link_url": "https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/", "source_content": "Related stories", "related_index": "2", "related_article_tag": "topics - threat analysis group", "article_name": "State\u002Dbacked attackers and commercial surveillance vendors repeatedly use the same exploits", "author_name": "Clement Lecigne" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <div class="uni-related-articles-cards__img"> <figure class=""> <picture> <source media="(max-resolution: 1.5dppx)" sizes="600px" srcset="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_PzwyAeM.width-1600.format-w.max-600x208.format-webp.webp 600w"> <source media="(min-resolution: 1.5dppx)" sizes="1200px" srcset="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_PzwyAeM.width-1600.format-.max-1200x416.format-webp.webp 1200w"> <img src="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_PzwyAeM.width-1600.format-.max-1200x416.format-webp.webp" alt="TAG_PzwyAeM.width-1600.format-webp" sizes=" 600px, 1200px" srcset="https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_PzwyAeM.width-1600.format-w.max-600x208.format-webp.webp 600w, https://storage.googleapis.com/gweb-uniblog-publish-prod/images/TAG_PzwyAeM.width-1600.format-.max-1200x416.format-webp.webp 1200w" data-target="image" loading="lazy" > </picture> </figure> </div> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Threat Analysis Group</span> <h4 class="uni-related-articles-cards__headline" data-target="title">State-backed attackers and commercial surveillance vendors repeatedly use the same exploits</h4> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Clement Lecigne </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Aug 29, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--abstract "> <a href="https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/" class="uni-related-articles-cards__link" data-index="3" data-target="card" data-primaryTag = "topics - threat analysis group" data-image="false" data-ga4-analytics-footer-lead-click='{ "link_text": "Iranian backed group steps up phishing campaigns against Israel, U.S.", "link_url": "https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phishing-campaigns-against-israel-us/", "source_content": "Related stories", "related_index": "3", "related_article_tag": "topics - threat analysis group", "article_name": "Iranian backed group steps up phishing campaigns against Israel, U.S.", "author_name": "Google Threat Analysis Group" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Threat Analysis Group</span> <h4 class="uni-related-articles-cards__headline" data-target="title">Iranian backed group steps up phishing campaigns against Israel, U.S.</h4> <p class="uni-related-articles-cards__abstract" data-target="abstract">Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor.</p> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Google Threat Analysis Group </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Aug 14, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--abstract "> <a href="https://blog.google/threat-analysis-group/google-disrupted-dragonbridge-activity-q1-2024/" class="uni-related-articles-cards__link" data-index="4" data-target="card" data-primaryTag = "topics - threat analysis group" data-image="false" data-ga4-analytics-footer-lead-click='{ "link_text": "Google disrupted over 10,000 instances of DRAGONBRIDGE activity in Q1 2024", "link_url": "https://blog.google/threat-analysis-group/google-disrupted-dragonbridge-activity-q1-2024/", "source_content": "Related stories", "related_index": "4", "related_article_tag": "topics - threat analysis group", "article_name": "Google disrupted over 10,000 instances of DRAGONBRIDGE activity in Q1 2024", "author_name": "Zak Butler" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Threat Analysis Group</span> <h4 class="uni-related-articles-cards__headline" data-target="title">Google disrupted over 10,000 instances of DRAGONBRIDGE activity in Q1 2024</h4> <p class="uni-related-articles-cards__abstract" data-target="abstract">Today we are sharing updated insights about DRAGONBRIDGE, the most prolific IO actor Google’s Threat Analysis Group (TAG) tracks.</p> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Zak Butler </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Jun 26, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--abstract "> <a href="https://blog.google/threat-analysis-group/tag-bulletin-q2-2024/" class="uni-related-articles-cards__link" data-index="5" data-target="card" data-primaryTag = "topics - threat analysis group" data-image="false" data-ga4-analytics-footer-lead-click='{ "link_text": "TAG Bulletin: Q2 2024", "link_url": "https://blog.google/threat-analysis-group/tag-bulletin-q2-2024/", "source_content": "Related stories", "related_index": "5", "related_article_tag": "topics - threat analysis group", "article_name": "TAG Bulletin: Q2 2024", "author_name": "Billy Leonard" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Threat Analysis Group</span> <h4 class="uni-related-articles-cards__headline" data-target="title">TAG Bulletin: Q2 2024</h4> <p class="uni-related-articles-cards__abstract" data-target="abstract">Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q2 2024.</p> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Billy Leonard </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Jun 04, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item uni-related-articles-cards__item--abstract "> <a href="https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/" class="uni-related-articles-cards__link" data-index="6" data-target="card" data-primaryTag = "topics - safety & security" data-image="false" data-ga4-analytics-footer-lead-click='{ "link_text": "A review of zero\u002Dday in\u002Dthe\u002Dwild exploits in 2023", "link_url": "https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/", "source_content": "Related stories", "related_index": "6", "related_article_tag": "topics - safety & security", "article_name": "A review of zero\u002Dday in\u002Dthe\u002Dwild exploits in 2023", "author_name": "Maddie Stone, James Sadowski" }' > <div class="uni-related-articles-cards__item-top-info" data-target="card"> <span class="h-c-eyebrow uni-related-articles-cards__category" data-target="eyebrow">Safety & Security</span> <h4 class="uni-related-articles-cards__headline" data-target="title">A review of zero-day in-the-wild exploits in 2023</h4> <p class="uni-related-articles-cards__abstract" data-target="abstract">Today, Google released its report “We’re All in this Together: A Year in Review of Zero-Days Exploited In-the-Wild in 2023.”</p> </div> <div class="uni-related-articles-cards__info"> <div class="uni-related-articles-cards__author"> By <span class="uni-related-articles-cards__author--name" data-target="author"> Maddie Stone </span> & <span class="uni-related-articles-cards__author--name" data-target="author"> James Sadowski </span> </div> <span class="uni-related-articles-cards__date" data-target="date"> Mar 27, 2024</span> </div> <svg class="uni-related-articles-cards__item-arrow" data-target="arrow" role="presentation" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-arrow-forward-no-bg"></use> </svg> </a> </li> <li class="uni-related-articles-cards__item--placeholder">.</li> </ul> </div> <button class="uni-related-articles-cards__arrow uni-related-articles-cards__arrow--prev " aria-controls="Previous" aria-label="Previous" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "arrow - left", "position": "" }' > <span class="uni-related-articles-cards__arrow--fig"></span> </button> <button class="uni-related-articles-cards__arrow uni-related-articles-cards__arrow--next " aria-controls="Next" aria-label="Next" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "arrow - right", "position": "" }' > <span class="uni-related-articles-cards__arrow--fig"></span> </button> <fieldset class="uni-related-articles-cards__pagination ga4-bullets " aria-label="Pagination"> <label for="uni-related-articles-cards__pagination-dot-1" data-index="1" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "1" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-1"> </label> <label for="uni-related-articles-cards__pagination-dot-2" data-index="2" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "2" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-2"> </label> <label for="uni-related-articles-cards__pagination-dot-3" data-index="3" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "3" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-3"> </label> <label for="uni-related-articles-cards__pagination-dot-4" data-index="4" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "4" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-4"> </label> <label for="uni-related-articles-cards__pagination-dot-5" data-index="5" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "5" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-5"> </label> <label for="uni-related-articles-cards__pagination-dot-6" data-index="6" class="dot" data-ga4-analytics-carousel-scroll-click='{ "toggle_type_direction": "bullet", "position": "6" }' > <input type="radio" class="dot-label" name="uni-related-articles-cards__pagination" id="uni-related-articles-cards__pagination-dot-6"> </label> </fieldset> </div> </main> <footer class="h-c-footer h-c-footer--topmargin h-c-footer--standard h-has-social" id="footer-standard" data-component="uni-footer-component" data-analytics-module='{ "module_name": "footer", "section_header": "Spyware vendors use 0\u002Ddays and n\u002Ddays against popular platforms" }'> <section class="h-c-footer__global"> <div class="h-c-footer__logo"> <a class="uni-click-tracker" href="https://www.google.com" title="Google" data-analytics='{ "category": "navigation", "action": "footer", "label": "logo", "pagePath": "https://www.google.com" }'> <svg aria-hidden="true" class="h-c-footer__logo-img" viewBox="0 0 396 130" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#google-logo"></use> </svg> </a> </div> <ul class="h-c-footer__global-links h-no-bullet"> <li class="h-c-footer__global-links-list-item"> <a class="h-c-footer__link uni-click-tracker" href="https://policies.google.com/privacy" data-analytics='{ "category": "navigation", "action": "footer", "label": "{name}", "pagePath": "https://policies.google.com/privacy" }'>Privacy </a> </li> <li class="h-c-footer__global-links-list-item"> <a class="h-c-footer__link uni-click-tracker" href="https://policies.google.com/terms" data-analytics='{ "category": "navigation", "action": "footer", "label": "{name}", "pagePath": "https://policies.google.com/terms" }'>Terms </a> </li> <li class="h-c-footer__global-links-list-item"> <a class="h-c-footer__link uni-click-tracker" href="https://about.google/" data-analytics='{ "category": "navigation", "action": "footer", "label": "{name}", "pagePath": "https://about.google/" }'>About Google </a> </li> <li class="h-c-footer__global-links-list-item"> <a class="h-c-footer__link uni-click-tracker" href="https://about.google/products/" data-analytics='{ "category": "navigation", "action": "footer", "label": "{name}", "pagePath": "https://about.google/products/" }'>Google Products </a> </li> </ul> <ul class="h-c-footer__global-links h-c-footer__global-links--extra h-no-bullet"> <li class="h-c-footer__global-links-list-item h-c-footer__global-links-list-item--extra"> <a class="h-c-footer__link uni-click-tracker" href="https://support.google.com" data-analytics='{ "category": "navigation", "action": "footer", "label": "{name}", "pagePath": "https://support.google.com" }'> <svg aria-hidden="true" class="h-c-icon h-c-icon--24px h-c-icon--footer" > <use xmlns:xlink="http://www.w3.org/1999/xlink" href="/static/blogv2/images/icons.svg?version=pr20241113-1756#mi-help"></use> </svg> Help </a> </li> <li class="h-c-footer__global-links-list-item h-c-footer__global-links-list-item--extra uni-footer-language"> <div class="uni-picker" data-component="uni-lang-picker"> <select name="language" class="uni-picker__order-menu" aria-label="Select a language"> <option label="Bahasa Indonesia (Indonesia)" value="/intl/id-id/" class="uni-picker__item" > Bahasa Indonesia (Indonesia) </option> <option label="Deutsch" value="/intl/de-de/" class="uni-picker__item" > Deutsch </option> <option label="English" value="/" class="uni-picker__item" selected="selected" > English </option> <option label="English (Africa)" value="/intl/en-africa/" class="uni-picker__item" > English (Africa) </option> <option label="English (Australia)" value="/intl/en-au/" class="uni-picker__item" > English (Australia) </option> <option label="English (Canada)" value="/intl/en-ca/" class="uni-picker__item" > English (Canada) </option> <option label="English (India)" value="/intl/en-in/" class="uni-picker__item" > English (India) </option> <option label="English (MENA)" value="/intl/en-mena/" class="uni-picker__item" > English (MENA) </option> <option label="Español (España)" value="/intl/es-es/" class="uni-picker__item" > Español (España) </option> <option label="Español (Latinoamérica)" value="/intl/es-419/" class="uni-picker__item" > Español (Latinoamérica) </option> <option label="Français (Canada)" value="/intl/fr-ca/" class="uni-picker__item" > Français (Canada) </option> <option label="Français (France)" value="/intl/fr-fr/" class="uni-picker__item" > Français (France) </option> <option label="Italiano" value="/intl/it-it/" class="uni-picker__item" > Italiano </option> <option label="Nederlands (Nederland)" value="/intl/nl-nl/" class="uni-picker__item" > Nederlands (Nederland) </option> <option label="Polski" value="/intl/pl-pl/" class="uni-picker__item" > Polski </option> <option label="Português (Brasil)" value="/intl/pt-br/" class="uni-picker__item" > Português (Brasil) </option> <option label="Česko (Čeština)" value="/intl/cs-cz/" class="uni-picker__item" > Česko (Čeština) </option> <option label="اللغة العربية (MENA)" value="/intl/ar-mena/" class="uni-picker__item" > اللغة العربية (MENA) </option> <option label="日本語 (日本)" value="/intl/ja-jp/" class="uni-picker__item" > 日本語 (日本) </option> <option label="한국어" value="/intl/ko-kr/" class="uni-picker__item" > 한국어 </option> </select> </div> </li> </ul> </section> </footer> <div id="base-scripts" data-scripts='[ { "url": "/static/blogv2/js/csp/gtm.js?version=pr20241113-1756", "options": { "async": false, "defer": true } }, { "url": "/static/keyword/js/all/index.js?version=pr20241113-1756", "options": { "async": false, "defer": false } } ]'></div> <div id="extra-scripts" data-scripts=""> </div> <script> var base_scripts = document.querySelector("#base-scripts").getAttribute('data-scripts'); base_scripts = JSON.parse(base_scripts); var extra_scripts = document.querySelector("#extra-scripts").getAttribute('data-scripts'); if (extra_scripts) { extra_scripts = JSON.parse(extra_scripts); } else { extra_scripts = []; } var scripts = base_scripts.concat(extra_scripts); scripts.forEach(function(scriptObj) { var s = document.createElement('script'); s.async = scriptObj.options.async; s.defer = scriptObj.options.defer; s.src = scriptObj.url; document.head.appendChild(s); }); </script> <script src="https://www.gstatic.com/glue/cookienotificationbar/cookienotificationbar.min.js" data-glue-cookie-notification-bar-category="2B" data-glue-cookie-notification-bar-site-id="blog.google"> </script> </body> </html>