Dozens of Commercial Spyware Vendors at Work, Google Warns

Half of Zero-Days Targeting Google Products Trace to Commercial Spyware, It Says
Dozens of Commercial Spyware Vendors at Work, Google Warns
Google says there are 40 companies selling commercial spyware that is often used to monitor activists and journalists. (Image: Shutterstock)

Greater diplomacy and faster vulnerability identification and remediation backed by more bug bounty programs are needed to combat the ongoing rise of advanced surveillance tools, says tech giant Google.

See Also: The Need for a New Integrated GRC Architecture

Commercial spyware vendors, of which Google now counts 40, appear to have deep pockets when it comes to procuring the latest zero-day vulnerability exploits, which they use to surreptitiously monitor individuals even when they're using devices that have the very latest operating system patches and security fixes.

Security researchers have long highlighted how such surveillance tools are used to target human rights activists, journalists and others deemed to pose a threat to the state, oligarchy or aligned interests, despite any assurances from spyware vendors to the contrary.

Google's Threat Analysis Group, which has been vocal in urging for a global clampdown on the commercial spyware industry, warned in a Tuesday report that a myriad of commercial surveillance vendors are putting advanced surveillance capabilities previously reserved for the world's best intelligence services into the hands of despots. Google's Threat Analysis Group battles attempts by nation-state attackers and serious cybercrime syndicates to target the company and its users.

"If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over," the report from Google says. "In 2023, TAG discovered 25 zero-days being actively exploited in-the-wild," 20 of which had been exploited by commercial spyware vendors.

Of the at least 72 zero-day exploits from mid-2014 through 2023 used in the wild to target Google's products, including the Chrome browser and Android ecosystem, commercial spyware vendors appeared to be behind 35 of those exploits, the technology giant said.

Shining a Light Has 'Little Effect'

One problem is that despite repeat warnings about the danger posed by commercial spyware to internet users at large, as well as sanctions against some of the biggest players, the industry is thriving.

"Exposing regimes conducting these operations seems to have little effect on these companies' abilities to make money," security researchers at Cisco Talos said in a report released last year. "It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access."

While shining a light on such operations "creates awareness and has gained the attention of governments and regulating bodies," many users of such software will be running their operations in silos, they said. As a result, even if one spyware vendor's customer's activities get burned, that may not have any effect on the firm's other customers.

US Spearheads Sanctions

The U.S. government has cracked down on some commercial spyware vendors, citing risk to U.S. national security and foreign policy. President Joe Biden last March signed an executive order prohibiting the use of commercial spyware tools that have been employed to surveil human rights activists, journalists and dissidents around the world. Blacklisted firms include Israel's NSO Group, which makes Pegasus spyware. Last July, the Biden administration expanded the blacklist to include Israel's Candiru, as well as Greece-based Intellexa, maker of Predator - aka Alien - spyware and the accompanying Nova data-gathering platform.

The U.S. State Department on Monday announced a new policy the White House can use to deny visas to anyone who misuses or profits from "the misuse of commercial spyware" - and to their family members as well.

Apple and Meta have filed lawsuits against NSO Group, accusing it of harming their users.

In March 2023, the governments of Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the United Kingdom and the U.S. signed a joint statement pledging to combat the proliferation and misuse of commercial spyware. Any domestic use of such products must abide by human rights "guardrails," the countries said. They also pledged to stop the export of such commercial spyware to countries that might abuse it.

On Tuesday, the U.K. and French governments are due to host a conference in England to "discuss joint action to address the commercial market for cyber intrusion tools and services," as The Record first reported. The U.K. Cabinet Office said over 35 nations are scheduled to participate, together with representatives from Apple, BAE Systems, Google and Microsoft, alongside unnamed vendors of "cyber intrusion tools and services." The office said that one goal of the conference is to get attendees to sign a joint action plan called the "Pall Mall Process."

Google TAG lauded the commitments and efforts as "promising developments" but said "concrete action so far has been limited." The company called on the U.S. government to help increase the pressure on the industry through more focused diplomacy. Many members of the European Union, notably, appear hesitant to demand safeguards for commercial spyware (see: European Commission Failing to Tackle Spyware, Lawmakers Say).

"As long as there is a demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware," Google's report says. "We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread so widely."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.