Government hackers last year exploited three unknown vulnerabilities in Apple’s iPhone operating system to target victims with spyware developed by a European startup, according to Google.
On Tuesday, Google’s Threat Analysis Group, the company’s team that investigates nation-backed hacking, published a report analyzing several government campaigns conducted with hacking tools developed by several spyware and exploit sellers, including Barcelona-based startup Variston.
In one of the campaigns, according to Google, government hackers took advantage of three iPhone “zero-days,” which are vulnerabilities not known to Apple at the time they were exploited. In this case, the hacking tools were developed by Variston, a surveillance and hacking technology startup whose malware has already been analyzed twice by Google in 2022 and 2023.
Do you have more information about Variston or Protect Electronic Systems? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email firstname.lastname@example.org. You also can contact TechCrunch via SecureDrop.
Google said it discovered the unknown Variston customer using these zero-days in March 2023 to target iPhones in Indonesia. The hackers delivered an SMS text message containing a malicious link that infected the target’s phone with spyware, and then redirected the victim to a news article by the Indonesian newspaper Pikiran Rakyat. Google did not say who was Variston’s government customer in this case.
An Apple spokesperson did not comment to TechCrunch, asking whether the company is aware of this hacking campaign found by Google.
While Variston keeps getting attention from Google, the company has lost multiple employees over the past year, according to former staff who spoke to TechCrunch on the condition of anonymity because they were under a non-disclosure agreement.
It is not yet known who Variston sold its spyware to. According to Google, Variston collaborates “with several other organizations to develop and deliver spyware.”
Google says one of the organizations was Protected AE, which is based in the United Arab Emirates. Local business records identify the company as “Protect Electronic Systems,” and say it was founded in 2016 and headquartered in Abu Dhabi. On its official website, Protect bills itself as “a cutting edge cyber security and forensic company.”
According to Google, Protect “combines spyware it develops with the Heliconia framework and infrastructure, into a full package which is then offered for sale to either a local broker or directly to a government customer,” referring to Variston’s software Heliconia, which Google previously detailed in 2022.
Variston was founded in 2018 in Barcelona by Ralf Wegener and Ramanan Jayaraman, and shortly after acquired Italian zero-day research company Truel IT, according to Spanish and Italian business records seen by TechCrunch.
Wegener and Jayaraman did not respond to a request for comment by email. Representatives from Protect also did not respond.
While there has been a lot of attention in the last few years on Israeli companies like NSO Group, Candiru, and QuaDream, Google’s report shows that European spyware makers are expanding their reach and capabilities.
Google wrote in its report that its researchers track around 40 spyware makers, which sell exploits and surveillance software to government customers around the world. In the report Google mentions not only Variston, but also the Italian companies Cy4Gate, RCS Lab, and Negg as examples of relatively newer companies that have entered the market. RCS Lab was founded in 1993 and used to be a partner of the now-defunct spyware maker Hacking Team, but didn’t develop spyware on its own until recent years, focusing instead on selling products to conduct traditional phone wiretapping at the telecom providers’ level.
In its report, Google said it is committed to disrupting hacking campaigns conducted with these companies’ tools because they have been linked to targeted surveillance of journalists, dissidents, and politicians.
“Commercial surveillance vendors (CSVs) are enabling the proliferation of dangerous hacking tools,” Google wrote in its report. “The harm is not hypothetical. Spyware vendors point to their tools’ legitimate use in law enforcement and counterterrorism. However, spyware deployed against journalists, human rights defenders, dissidents, and opposition party politicians — what Google refers to as ‘high risk users’ — has been well documented.”
“While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader,” the company wrote. “This type of focused targeting threatens freedom of speech, a free press, and the integrity of elections worldwide.”