commercial spyware The industry is increasingly criticized for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Details on how spyware has been used to target activists, opposition leaders, lawyers and journalists in many countries across the European Union have touched recent scandals and calls for reform. On Wednesday, Google’s Threat Analysis Group announced it would take action to block such a hacking tool that targets desktop computers and is apparently developed by a Spanish firm.
Dubbed “Heliconia”, the exploit framework caught Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to vulnerabilities in Chrome, Windows Defender, and Firefox that could be exploited to distribute spyware to target devices, including Windows and Linux computers. The post contained the source code of the Heliconia hacking framework and named the vulnerabilities “Heliconia Noise”, “Heliconia Soft” and “Files”. Google says the evidence points to Barcelona-based tech firm Variston IT as the developer of the hacking framework.
“The findings suggest that we have many small players in the spyware industry, but strong zero-day capabilities,” the TAG researchers said, referring to unknown, unpatched vulnerabilities.
Variston IT did not respond to a request for comment from WIRED. Ralf Wegner, director of the company, said TechCrunch Variston was not given the opportunity to review Google’s research and could not verify it. He added that “you will be surprised if such an item is found in the wild.” Google confirmed that the researchers did not contact Variston IT prior to publication, as is the company’s standard practice in this type of research.
Google, Microsoft and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it has not detected any exploitation of the vulnerabilities at this time. But evidence in bug reports suggests the framework was most likely used in 2018 and 2019 to exploit flaws long before patches were applied. “Heliconia Noise” exploited a Chrome renderer vulnerability and a sandbox escape, while “Heliconia Soft” used a malicious PDF that exploited Windows Defender, and “Files” exploited a bunch of Firefox vulnerabilities for Windows and Linux. TAG collaborated on the research with Google’s Project Zero bug-hunting group and members of the Chrome V8 security team.
The fact that Google is not seeing current evidence of exploits may mean that the Heliconia framework is now dormant, but it may also indicate that the hacking tool has evolved. “There may be other exploits, it may be a new framework, their exploits have not crossed our systems, or there are now other layers to protect their exploits,” the TAG researchers told WIRED.
Ultimately, the group says its purpose with such research is to shed light on the methods, technical capabilities and abuses of the commercial spyware industry. TAG created detections for Google’s Safe Browsing service to alert about Heliconia-related sites and files, and the researchers stress that it’s always important to keep the software up-to-date.
“The growth of the spyware industry is putting users at risk and making the Internet less secure,” TAG wrote in a blog post about the findings. “While surveillance technology is legal under national or international law, it is often used in harmful ways to digitally spy on various groups.”