Security researchers from Google discovered a sophisticated attack that involved the use of numerous exploits to install malware on Windows and Android-based devices. Windows users were targeted by four zero-day exploits in Windows and Chrome, which means these vulnerabilities were not known to Google or Microsoft. The Android attacks did not exploit zero-day vulnerabilities but Google suspects the attackers also had zero-day Android exploits at their disposal. Targets of interest were infected by compromising websites frequented by the targets. Google isn't pointing any fingers but notes the attack was carried out by a "highly sophisticated actor."
“These exploit chains are designed for efficiency & flexibility through their modularity,” a researcher with Google’s Project Zero exploit research team wrote. “They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”