Google Uncovers Government-Backed iPhone Hacking Operations Using European Spyware

Google’s Threat Analysis Group, the tech giant’s unit dedicated to probing nation-sponsored cyber activities, has recently revealed a report shedding light on various government-led hacking campaigns. These campaigns notably utilized hacking tools developed by various spyware and exploit vendors, including Barcelona’s own Variston.

According to the report, last year, state-backed hackers exploited three previously unknown vulnerabilities, referred to as “zero-days,” in Apple’s iPhone operating system. These vulnerabilities, unrecognized by Apple at the time of exploitation, were leveraged to deploy spyware crafted by Variston, a surveillance and hacking technology firm whose products have been subject to Google’s scrutiny in 2022 and 2023.

The report indicates that these government hackers launched a campaign in March 2023 targeting iPhone users in Indonesia. The attack method involved sending an SMS containing a malicious link, which, when clicked, installed spyware on the victim’s device and subsequently redirected them to a news article on the Indonesian news site, Pikiran Rakyat. The identity of the government client utilizing Variston’s zero-day vulnerabilities remains undisclosed by Google.

Apple, when approached by TechCrunch for comments about the hacking campaign identified by Google, refrained from responding.

Variston, while continuing to draw attention from Google, has reportedly experienced a decline in its workforce over the previous year. This information comes from former employees who chose to remain anonymous due to non-disclosure agreements.

The specifics of Variston’s client base for its spyware products remain unclear. Google’s findings suggest that Variston has engaged in collaborations with various entities to develop and distribute spyware. One such collaborator is Protected AE, a company based in the United Arab Emirates, identified locally as “Protect Electronic Systems.” Established in 2016 and headquartered in Abu Dhabi, Protect describes itself as a provider of advanced cybersecurity and forensic solutions. The report details how Protect integrates its spyware with Variston’s Heliconia software and infrastructure to create comprehensive surveillance packages, marketed either to local brokers or directly to government clients.

Founded in Barcelona in 2018 by Ralf Wegener and Ramanan Jayaraman, Variston soon acquired the Italian zero-day research firm Truel IT. Requests for comments from the founders and representatives from Protect were not met with responses.

The spotlight in recent years has predominantly been on Israeli spyware companies such as NSO Group, Candiru, and Quadream. However, Google’s report indicates a growing influence and expansion of European spyware manufacturers. Apart from Variston, the report cites other relatively new market entrants like the Italian firms Cy4Gate, RCS Lab, and Negg. RCS Lab, established in 1993, was historically affiliated with the now-defunct Hacking Team and has recently transitioned from traditional telecom-level phone wiretapping to developing its own spyware.

Google’s report emphasizes the company’s commitment to disrupting the malicious operations conducted using these vendors’ tools, citing the targeted surveillance of journalists, dissidents, and political figures. While acknowledging the legitimate uses of spyware in law enforcement and counterterrorism, Google highlights the documented misuse against “high-risk users,” including journalists, human rights defenders, and opposition politicians. The company underscores the broader implications of such targeted attacks, pointing to the threats they pose to freedom of speech, press freedom, and the integrity of electoral processes worldwide.