Google: Govs Drive Sharp Growth of Commercial Spyware Cos

Private spyware vendors were behind nearly half of all zero-day exploits in Google products since 2014.

5 Min Read
Eye looking thorough a keyhole. spyware, surveillance software concept.
Source: metamorworks via Shutterstock

Governments around the world, seeking to spy on rights activists, dissidents and others of interest to them, have driven a sharp proliferation in commercial spyware vendors (CSV) in recent years, with more and more cyber-weapons brokers wading into the market.

What once used to be the domain of Israel-based NSO Group—the purveyor of the infamous Pegasus spyware program — and a handful of others, is now crowded with dozens of small CSVs with varying levels of sophistication and capabilities, according to Google's "Buying Spying" report released today. Their operations, though often targeted at only a relatively small number of individuals, have significantly broader repercussions, Google warned in a comprehensive new report on the troubling trend.

"We have not seen evidence of CSV customers using spyware to attempt to hack the enterprise as a whole," a researcher from Google Threat Analysis Group (TAG) tells Dark Reading.

CSVs Account for Nearly Half of All Google 0-Day Exploits

One of the biggest manifestations of the Internet-wide threat these vendors present is their role in finding and exploiting zero-day vulnerabilities in widely used products from Google, Apple, and numerous other major technology providers.

Google identified CSVs as being behind nearly half of the known zero-day exploits — 35 out of 72 — in its technologies between mid-2014 and the end of 2023. CSVs also accounted for a stunning 20 out of the 25 total zero-day vulnerabilities that researchers from the Google TAG observed attackers exploiting in the wild last year. And even those numbers are almost certainly on the lower side, Google said.

The rising alarm over the trend pushed the Biden Administration into issuing an Executive Order in March 2023 that is designed to counter and prevent the proliferation of commercial spyware products that pose a risk to activists, dissidents, journalists, and others. And in addition to Google's report, several other firms such as Apple, Toronto University's Citizen Labs, Cisco, the European Parliament, and the Carnegie Endowment have highlighted the rampant growth of CSV operations globally.

A Spyware Explosion

Much of the concern has to do with the explosion in the availability of tools and services that allow governments and law enforcement to break into target devices with impunity, harvest information from them, and spy unchecked on victims. The vendors selling these tools — most of which are designed for mobile devices — have often openly pitched their wares as legitimate tools that aid in law enforcement and counter-terrorism efforts.

But the reality is that repressive governments have routinely used spyware tools against journalists, activists, dissidents, and opposition party politicians, said Google.

The company's report cites three instances of such misuse: one that targeted a human rights defender working with a Mexico-based rights organization; another against an exiled Russian journalist; and the third against the co-founder and director of a Salvadorian investigative news outlet.

The Price Tag for End-to-End Surveillance

The researcher attributes much of the recent growth in the CSV market to strong demand from governments around the world to outsource their need for spyware tools rather than have an advanced persistent threat build them in-house.

"Governments no longer have to rely on building their own capabilities, but can purchase a contract for guaranteed exploits, and a full service tool from delivery to installation to analysis of the collected data," the Google TAG researcher says.

Google's report pointed to Greece-based Intellexa, a vendor that the company and Amnesty International recently warned about, as an example of the end-to-end surveillance capabilities that CSVs can offer today for government customers — and the price tag for those services. "For €8 million the customer receives the capability to use a remote one-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time," Google said.

The baseline price gives government and/or law enforcement users the ability to install and manage Intellexa's Nova system—which includes its Predator spyware implant and a data analysis system—on devices within the purchasing customers country and using the country's SIM cards. It also includes a one year maintenance guarantee, meaning that if a zero-day exploit the vendor might have used in the chain gets patched, the customer will get a new exploit, Google said.

Customers willing to pay an additional €1.2 million (about $1.3 million) get the ability to infect Android and iOS devices in five additional countries and for another €3 million ($3.2 million) they get guaranteed persistence on target devices.

"If [state-sponsored actors] ever had a monopoly on the most sophisticated capabilities, that era is certainly over," Google said in its report. "The private sector is now responsible for a significant portion of the most sophisticated tools we detect."

The Exploitation Supply Chain Grows

Intellexa, which is actually an alliance of several CSVs, is not the only new entrant of note. Others include Negg Group of Italy; Spain-based Variston; and Cy4Gate, an Italian provider of spyware products for iOS and Android devices. In total, Google is tracking some 40 vendors that currently sell spyware products to governments and intelligence agencies worldwide.

"While prominent CSVs like NSO Group garner public attention and headlines, there are dozens of smaller CSVs, as well as other important parts of the exploitation supply chain, which play an important role in the development of spyware," Google said. "All these players enable the proliferation of dangerous tools and capabilities used by governments against individuals, which threatens the safety of the Internet ecosystem and the trust on which a vibrant and inclusive digital society depends."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights