The fight against commercial spyware misuse is heating up

Though there are organizations out there investigating how commercial spyware is misused to target journalists, human rights defenders and dissidents, the growing market related to the development and sale of this type of software and the exploits used to deploy it is still very much shrouded in mystery.

“While prominent [commercial spyware vendors] garner public attention and headlines, there are dozens of others that are less noticed, but play an important role in developing spyware,” says Shane Huntley, senior director at Google Threat Analysis Group (TAG).

In a report published on Tuesday, Google TAG named eleven commercial spyware vendors and their products – some of them more and some less known. (We’ve all heard about NSO Group and Intellexa, but have your hear about PARS Defense and Wintego Systems?)

Many CVSs operate openly, though they share sensitive details only with their (prospective) customers.

“The number of CSVs around the globe is impossible to count, with new companies opening each year and existing ones reincorporating under new names. TAG currently tracks approximately 40 CSVs developing and selling exploits and spyware to government customers,” the group said.

Apart from commercial surveillance vendors and private sector offensive actors, other actors on the spyware market include vulnerability researchers and exploit developers, government customers (who buy and use the spyware), and brokers that act as intermediaries between these groups.

Spyware vendors leveraging 0-days in Google offerings

Google’s interest in disrupting the market is unsurprising, as commercial spyware often targets users of Google-made devices and software by exploiting previously unknown vulnerabilities.

“CSVs are behind half of known 0-day exploits targeting Google products as well as Android ecosystem devices. Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to CSVs,” Google’s analysts say.

“This is a lower bounds estimate, as it reflects only known 0-day exploits where we have high confidence in attribution. The actual number of 0-days developed by CVs is almost certainly higher, including 0-days targeting Google products.”

But while Google TAG and other security researchers work constantly to discover these avenues of attack, and companies work to plug the security holes, there’s seemingly no end to the onslaught.

“As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high risk users and society at large,” Google TAG says.

“Providing guaranteed access to certain targeted devices shifts the burden of the cost and reputational risk of the exposure of these tools from the government customer to the CSV. This shifting of cost may increase the likelihood the tools will be used. As government entities buy off-the-shelf capabilities from the CSV industry, the use of spyware becomes increasingly normalized.”

A global effort to fight against misuse of commercial spyware

Google TAG’s report is part of an effort to raise awareness about this market and to push governments around the world to implement policies that would curb the commercial spyware industry and limit its harms.

In related news, on Monday, US Secretary of State Antony Blinken announced that the State Department is implementing a new policy that will allow the imposition of visa restrictions on:

• Individuals involved in the misuse of commercial spyware to surveil, harass, or intimidate “journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals”
• Individuals believed to facilitate or derive financial benefit from such misuse of commercial spyware (e.g., commercial spyware vendors, and brokers)

This latest action by the State Department comes almost a year after the Biden Administration issued an executive order prohibiting the use of commercial spyware by the US Government, as well endorsed a set of principles for guiding government use of surveillance technology, which were agreed upon and endorsed by 48 governments across the globe.

The fight against commercial spyware misuse seems to be heating up but, as Google’s threat analysts pointed out, it will take a concentrated and sustained effort from governments, industry and civil society “to change the incentive structure which has allowed these technologies to spread”.