Google’s Threat Analysis Group recently published a study on the activities of commercial surveillance vendors (CSVs) that offer spyware and surveillance services to governments. At present, Google is tracking over 40 CSVs, many of which have the technical expertise to develop spyware and zero-day exploits targeting Android and iOS devices. The report delves into the targeting methods of CSVs, their use of spyware, the negative impact on individuals and society, and strategies for businesses to combat these cybersecurity threats.
CSVs provide governments with comprehensive surveillance services, including tools to communicate with the spyware implanted on targeted devices. The spyware grants access to the devices, allowing for monitoring and data theft. These companies are known to operate openly with websites, sales teams, and marketing content, attending conferences and interacting with the media. The exact number of CSVs worldwide is difficult to determine, as they often change names to avoid scrutiny. For example, the NSO Group, one of the most prominent CSVs, has continued operating despite being sanctioned by the U.S. and facing legal action from major tech companies.
Unlike traditional cyberespionage operations that target entire networks, CSVs focus on individuals, such as dissidents, journalists, human rights defenders, and opposition politicians. Through the use of spyware, CSVs collect sensitive data such as messages, emails, locations, phone calls, and audio-video recordings. They commonly exploit software vulnerabilities to access and infect devices, utilizing both 1-click and zero-click exploits for this purpose.
To obtain these exploits, CSVs rely on vulnerability researchers and exploit developers who sell their findings to these companies. Google’s study reveals that CSVs are responsible for approximately 50% of zero-day exploits targeting Google products. The prices for CSV services can reach into the millions of dollars, reflecting the lucrative nature of their industry.
The use of spyware developed by CSVs can have severe consequences for individuals and society as a whole. Examples documented in the report include targeted individuals experiencing surveillance and manipulation, as well as fear for their safety and the integrity of free and fair elections. Vulnerability researchers play a crucial role in combating CSVs by reporting their findings to software vendors to patch vulnerabilities.
Businesses can mitigate the threat of spyware by implementing mobile security solutions and training employees to recognize and prevent compromise attempts on their mobile devices. By taking these measures, companies can reduce their vulnerability to CSVs and protect sensitive information from being compromised.
