Companies developing spyware and offering spying services to government agencies and threat actors around the world are growing in number, and to make matters worse, for all of them – business is good.
This is according to a new report from Google, which highlights the growing concern of commercially developed spyware.
Now, according to Google’s latest Buying Spying report, it tracks around 40 Commercial Surveillance Vendors (CSV). Some are more popular than others, but all play an important role in developing spyware, it said. One of their bigger roles is discovering zero-day vulnerabilities. In fact, Google claims CSVs are behind half of known zero-day exploits targeting Google products and the Android ecosystem.
Commercial spyware companies have hit the headlines in recent weeks due largely to the exploits of NSO Group. This Israeli-based start-up developed a tool called Pegasus, and claimed it was designed to help governments around the world defend against terrorist attacks and similar threats. Instead, Pegasus was found used on government officials in the UK and the EU, and many cybersecurity researchers and privacy advocates were warning of Pegasus being used against government opponents, journalists, intellectuals, or dissidents. This prompted the US, for example, to blacklist NSO Group.
Furthermore, the demand for “turnkey espionage solutions” is on the rise. CSVs offer pay-to-play bundles that not only abuse zero-days to work around cybersecurity solutions and Antivirus programs, but also spyware, and the infrastructure necessary to harvest and exfiltrate sensitive information from the targets.
Among CSVs are those working on discovering vulnerabilities, those working on selling exploits, those building spyware solutions, and finally – government customers who purchase these bundles and propel this industry forward.
“CSVs have proliferated hacking and spyware capabilities that weaken the safety of the internet for all. This is why we discover and patch vulnerabilities used by CSVs, share intelligence strategies and fixes with industry peers and publicly release information about the operations we disrupt,” Google’s researchers concluded.