Governments around the world, seeking to spy on human rights activists, dissidents and others of interest, have fostered a sharp proliferation of commercial spyware vendors (CSVs) in recent years, with more and more cyberweapons brokers enter the market.
What was once the dominion of Israel NSO Group: the supplier of the infamous Pegasus spyware program — and a handful of others, is now crowded with dozens of small CSVs with varying levels of sophistication and capabilities, according to Google’s “Buying Spying” report released today. Their operations, while often targeting only a relatively small number of individuals, have significantly broader repercussions, Google has warned in a comprehensive new report on this troubling trend.
“We have seen no evidence that CSV customers are using spyware to try to hack the company as a whole,” a researcher from the Google Threat Analysis Group (TAG) told Dark Reading.
CSVs account for nearly half of all Google 0-Day exploits
One of the biggest manifestations of the Internet-wide threat presented by these vendors is their role in finding and exploiting zero-day vulnerabilities in products widely used by Google, Apple, and numerous other major technology vendors.
Google identified CSVs as responsible for nearly half of known zero-day exploits – 35 of 72 – in its technologies between mid-2014 and the end of 2023. CSVs also accounted for as many as 20 of 25 total zero-day vulnerabilities. which Google TAG researchers observed attackers exploiting in the wild last year. And even those numbers are almost certainly lower, Google said.
Growing alarm over the trend prompted the Biden administration to release a Executive order in March 2023 designed to counter and prevent the proliferation of commercial spyware products that pose a risk to activists, dissidents, journalists and others. And in addition to Google’s report, many other companies like Apple, Citizen Labs at the University of Toronto, CiscoTHE European Parliament, and the Carnegie Endowment have highlighted the rampant growth of CSV operations globally.
An explosion of spyware
Much of the concern has to do with the explosion in the availability of tools and services that allow governments and law enforcement to penetrate targeted devices with impunity, collect information from them, and spy unchecked on victims. Vendors selling these tools, most of which are designed for mobile devices, have often openly presented their products as legitimate tools that aid in law enforcement and counter-terrorism efforts.
But the reality is that repressive governments have routinely used spyware tools against journalists, activists, dissidents and politicians from opposition parties, Google said.
The company’s report cites three cases of such abuse: one that targeted a human rights defender working with a Mexico-based rights organization; another against a Russian journalist in exile; and the third against the co-founder and director of a Salvadoran investigative news outlet.
The price you pay for end-to-end surveillance
The researcher attributes much of the recent growth of the CSV market to strong demand from governments around the world to outsource their need for spyware tools rather than have an advanced persistent threat build them in-house.
“Governments no longer have to rely on developing their own capabilities, but can purchase a contract for guaranteed exploits and a complete service tool from delivery to installation to analysis of the collected data,” says Google researcher TAG.
Google’s report pointed to Greece-based Intellexa, a supplier that the company and Amnesty International recently warned, as an example of the end-to-end surveillance capabilities that CSVs can offer government customers today and the pricing of those services. “For 8 million euros the customer receives the ability to use a one-click remote exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 simultaneous spyware implants at any time,” Google said.
The base price offers government and/or law enforcement users the ability to install and manage Intellexa’s Nova system, which includes its Predator spy facility and a data analysis system, on devices in the purchasing customer’s country and using the country’s SIM cards. It also includes a one-year maintenance guarantee, meaning that if a zero-day exploit the vendor may have used in the chain is patched, the customer will receive a new exploit, Google said.
Customers willing to pay an additional 1.2 million euros (about $1.3 million) get the ability to infect Android and iOS devices in five additional countries, and for another 3 million euros (about $3.2 million) they get guaranteed persistence on target devices.
“Self [state-sponsored actors] ever had a monopoly on the most sophisticated features, that era is certainly over,” Google said in its report. “The private sector is now responsible for a significant portion of the most sophisticated tools we detect.”
The exploitation chain is growing
Intellexa, which is actually an alliance of several CSVs, isn’t the only new entrant of note. Others include the Italian group Negg; Variston based in Spain; and Cy4Gate, an Italian provider of spyware products for iOS and Android devices. In total, Google is tracking around 40 vendors currently selling spyware products to governments and intelligence agencies around the world.
“While large CSVs like NSO Group grab public attention and headlines, there are dozens of smaller CSVs, as well as other important parts of the exploitation supply chain, that play an important role in the development of spyware,” he said. Google said. “All of these actors enable the proliferation of dangerous tools and capabilities used by governments against individuals, which threatens the security of the Internet ecosystem and the trust on which a vibrant and inclusive digital society depends.”