Google has sounded the alarm on the escalating danger posed by spyware vendors to its users, cautioning that these companies are major players in exploiting zero-day vulnerabilities.
The Threat Analysis Group (TAG) at Google released a new report on Tuesday called “Buying Spying: Insights into Commercial Surveillance Vendors,” shedding light on the persistent and ongoing abuse of spyware by commercial surveillance vendors (CSVs). The report highlighted how these vendors have the ability to develop exploit chains that use both zero-day and known vulnerabilities.
According to the TAG report, half of the known zero-day exploits targeted at Google’s products were attributed to CSVs. This finding serves as a troubling reminder of the extent to which these vendors are actively exploiting vulnerabilities for malicious purposes.
Shane Huntley, senior director of TAG, emphasized the dangerous nature of CSVs, stating that they offer “pay-to-play tools” that combine surveillance software with exploit chains designed to bypass security measures on targeted devices. Huntley warned about the rise of “turnkey espionage solutions” offered by CSVs and the negative impact it has on individuals and society at large.
The report also detailed how spyware has been used to harm journalists, human rights activists, and government opponents, which TAG refers to as “high-risk users.” In addition to targeting individuals, CSVs have been increasingly exploiting zero-day vulnerabilities against Android, iOS, and Chrome. This growing problem has prompted the need for intervention by government and industry stakeholders to combat the spyware threat.
While efforts by global governments over the past couple of years have been effective to some extent, TAG emphasized that more sustained action is necessary to address the spyware threat. This sentiment was echoed by Citizen Lab senior researcher Bill Marczak, who highlighted the urgent need for additional government and industry action to disrupt the abuse of commercial spyware.
In addition to the threats posed by spyware vendors, the TAG report also underscored the broader spyware market, which includes vulnerability researchers, exploit developers, and brokers who weaponize these flaws, as well as government customers who purchase the finished spyware products.
The report demonstrated how CSVs have evolved rapidly, often changing names and emerging as new companies each year, making it challenging to track the full scope of their activities. TAG currently tracks around 40 CSVs globally that develop and sell exploits and spyware to government customers, including high-profile vendors such as NSO Group, Cy4Gate, and Intellexa, which have been linked to the exploitation of multiple zero-day vulnerabilities.
CSVs not only sell spyware, but they also offer technical expertise, develop exploit chains to deliver malware, and help maintain persistence on targeted devices. This comprehensive infrastructure has enabled them to adapt quickly to opposition and continue their operations.
Despite the challenges posed by CSVs, efforts are being made to combat their activities. TAG noted that when new vulnerabilities are discovered by security researchers, it creates friction for CSVs and costs them development cycles, thus impeding their ability to create new exploit chains.
Furthermore, the report highlighted the sophisticated capabilities of spyware vendors, particularly their focus on targeting mobile devices. Customers can spy on multiple devices simultaneously for a high price, demonstrating the potential impact of spyware on individual privacy and security.
In light of the persistent threat posed by CSVs, TAG emphasized the need for sustained government regulation and policies to combat spyware abuse. However, recent sanctions imposed on vendors like NSO Group have had limited impact, demonstrating the challenges associated with shutting down these operations entirely.
While the fight against CSVs continues, the recognition of the need for greater transparency and accountability in the surveillance industry is critical. Transparency and oversight are essential in addressing the harmful impact of spyware abuse on individuals and society at large.
In conclusion, the escalating threat of spyware vendors and their exploitation of zero-day vulnerabilities poses a significant challenge for individuals, governments, and industry stakeholders. The need for sustained action, transparency, and accountability is paramount in addressing this pressing security issue.
Arielle Waldman, a Boston-based reporter covering enterprise security news, contributed to this report.