Spyware vendor Variston exploited Chrome, Firefox and Windows zero-days, says Google

A Barcelona-based company that bills itself as a custom security solutions provider exploited several zero-day vulnerabilities in Windows, and Chrome and Firefox browsers to plant spyware, say Google security researchers.

In research shared with TechCrunch ahead of publication on Wednesday, Google’s Threat Analysis Group (TAG) says it has linked Variston IT, which claims to offer tailor-made cybersecurity solutions, to an exploitation framework that enables spyware to be installed on targeted devices.

“Our team consists of some of the industry’s most experienced experts,” Variston IT’s website reads. “We are a young but fast-growing company.”

Google researchers became aware of the so-called “Heliconia” exploitation framework after receiving an anonymous submission to its Chrome bug reporting program. After analyzing the framework, Google researchers found clues in the source code that suggested Variston IT was the likely developer.

Heliconia comprises three separate exploitation frameworks: one that contains an exploit for a Chrome renderer bug that allows it to escape the walls of the app’s sandbox to run malware on the operating system; another that deploys a malicious PDF document containing an exploit for Windows Defender, the default antivirus engine in modern versions of Windows; and another framework that contains a set of Firefox exploits for Windows and Linux machines.

Google notes that the Heliconia exploit is effective against Firefox versions 64 to 68, suggesting the exploit was used as early as December 2018, when Firefox 64 was first released.

Google said that while it has not seen the bugs actively exploited in the wild, the bugs were likely utilized as zero-days — named as such since companies have no time, or zero days, to roll out a fix — and later as n-day bugs — when bugs are exploited but after patches are made available. Google, Microsoft and Mozilla fixed the bugs in early 2021 and 2022.

When reached by email, Variston IT director Ralf Wegner told TechCrunch that the company wasn’t aware of Google’s research and could not validate its findings, but “would be surprised if such [sic] item was found in the wild.”

Google said in its blog post commercial spyware, like the Heliconia framework, contains capabilities that were once only available to governments. These capabilities include stealthily recording audio, making or redirecting phone calls and stealing data, such as text messages, call logs, contacts and granular GPS location data, from a target’s device.

“The growth of the spyware industry puts users at risk and makes the internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” Google said. “These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry.”

Google’s research lands months after linking a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.