Security Google Tag Variston IT 1235037082

Google moves to block invasive Spanish spyware framework

The exploiting framework, dubbed “Heliconia,” came to Google’s attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be exploited to deliver spyware to target devices, including Windows and Linux computers. The submission included the source code of the Heliconia hacking framework and named the vulnerabilities “Heliconia Noise”, “Heliconia Soft” and “Files”. Google says evidence points to Barcelona-based tech firm Variston IT as the developer of the hacking framework.

“The results indicate that we have many small players in the spyware industry, but with strong zero-day capabilities,” TAG researchers told WIRED, referring to unpatched and unknown vulnerabilities.

Variston IT did not respond to WIRED’s request for comment. Company director Ralf Wegner said TechCrunch that Variston did not have the opportunity to review Google’s research and could not validate it. He added that he “would be surprised if such an object were found in nature.” Google confirmed that the researchers did not contact Variston IT prior to publication, as is standard company practice in such investigations.

Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it hasn’t detected any current exploitation of the bugs. But evidence in bug reports indicates that the framework was likely used to exploit flaws starting in 2018 and 2019, long before they were fixed. “Heliconia Noise” exploited a Chrome renderer vulnerability and sandbox leak, while “Heliconia Soft” used a malicious PDF laced with a Windows Defender exploit, and “Files” distributed a bunch of Firefox exploits for Windows and Linux . TAG collaborated with members of Google’s Project Zero bug-hunting group and the Chrome V8 security team on the research.

The fact that Google sees no current evidence of exploitation may mean that the Heliconia framework is now dormant, but it could also indicate that the hack tool has evolved. “It could be that there are other exploits, a new framework, their exploits haven’t crossed our systems, or there are other layers now to protect their exploits,” TAG researchers told WIRED.

Ultimately, the group says its goal with this type of research is to shed light on the commercial spyware industry’s methods, technical capabilities, and abuses. TAG has created detections for Google’s Safe Browsing service to flag Heliconia-related sites and files, and researchers emphasize that it’s always important keep the software up to date.

“The growth of the spyware industry puts users at risk and makes the Internet less secure,” TAG wrote in a blog posts on the results. “And while surveillance technology may be legal under national or international law, it is often used in malicious ways to conduct digital espionage against a variety of groups.”