The commercial spyware industry has increasingly come under fire for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Across the European Union, details of how spyware has been used to target activists, opposition leaders, lawyers, and journalists in multiple countries have recently touched off scandals and calls for reform. On Wednesday, Google’s Threat Analysis Group announced action to block one such hacking tool that targeted desktop computers and was seemingly developed by a Spanish firm.
The exploitation framework, dubbed “Heliconia,” came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. The submission included source code from the Heliconia hacking framework and called the vulnerabilities “Heliconia Noise,” “Heliconia Soft,” and “Files.” Google says the evidence points to the Barcelona-based tech firm Variston IT as the developer of the hacking framework.
“The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days,” TAG researchers told WIRED, referring to unknown, unpatched vulnerabilities.
Variston IT did not respond to a request for comment from WIRED. The company’s director Ralf Wegner told TechCrunch that Variston was not given the opportunity to review Google’s research and could not validate it. He added that he “would be surprised if such item was found in the wild.” Google confirmed that the researchers did not contact Variston IT in advance of publication, as is the company’s standard practice in these types of investigations.
Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it has not detected any current exploitation of the bugs. But evidence in the bug submissions indicates that the framework was likely being used to exploit the flaws starting in 2018 and 2019, long before they were patched. “Heliconia Noise” exploited a Chrome renderer vulnerability and a sandbox escape, while “Heliconia Soft” used a malicious PDF laced with a Windows Defender exploit, and “Files” deployed a group of Firefox exploits for Windows and Linux. TAG collaborated on the research with members of Google’s Project Zero bug-hunting group and the Chrome V8 security team.
The fact that Google does not see current evidence of exploitation may mean that the Heliconia framework is now dormant, but it might also indicate that the hacking tool has evolved. “It could be there are other exploits, a new framework, their exploits didn’t cross our systems, or there are other layers now to protect their exploits,” TAG researchers told WIRED.
Ultimately, the group says its goal with this type of research is to shed light on the commercial spyware industry’s methods, technical capabilities, and abuses. TAG created detections for Google’s Safe Browsing service to warn about Heliconia-related sites and files, and the researchers emphasize that it’s always important to keep software up to date.
“The growth of the spyware industry puts users at risk and makes the Internet less safe,” TAG wrote in a blog post about the findings. “And while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”
