Google on Tuesday reported that commercial surveillance vendors (CSVs) are behind nearly 50% of the known zero-day exploits targeting Google products.
The news brought to light the increased prevalence of CSVs and the potential threat of spyware being used against not just famous journalists, politicians and academics, but ordinary citizens and businesspeople.
Google’s 50-page report found that from mid-2014 through 2023, security researchers discovered 72 in-the-wild zero-day exploits affecting Google products with the Google Threat Analysis Group (TAG) attributing 35 of the zero-days to the CSVs.
“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” wrote the Google researchers. “By doing so, commercial surveillance vendors (CSVs) are enabling the proliferation of dangerous hacking tools.”
Morgan Wright, chief security advisor at SentinelOne, said Google’s new information means that anyone, anywhere, any place, is at risk.
The proliferation of mobile computing, along with continuous discoveries of zero-day exploits, means spyware will become a booming market that will continue to grow because there’s demand for these capabilities, Wright said. What’s of most concern, Wright continued, is that the spyware capabilities that were once the exclusive province of nation-state intelligence organizations are available off-the-shelf to anyone with a big enough bank account.
“The number of threat actors will grow exponentially, making it a very challenging exercise to identify and defend against these threats,” said Wright. “For the security community, this means there is no rest. Ever. The vectors of attack will change minute-by-minute and hour-by-hour. Once a threat pops up and is identified and dealt with, many more will develop to take its place. This will force certain decisions about open versus closed platforms. To have more freedom and security, it may require tighter controls.”
Marina Liang, threat intelligence engineer at Interpres, said spyware has proved extremely lucrative in cyber espionage and surveillance of targeted demographics, so it’s not going away any time soon. Liang said it has played a crucial role in the cybernetic front with large surveillance campaigns targeting dissidents, journalists, and minority groups. Unfortunately, Liang pointed out that securing mobile devices is difficult to enforce in practice, short of preventing individuals from traveling to any country known to leverage spyware, or preventing use of a mobile phone when traveling abroad.
“Both options are not feasible, if not impossible, to implement,” said Liang, “We saw with China's campaigns targeting the Uyghurs and Muslims via installing spyware apps on unsuspecting tourists' Android phones, sensitive information like emails, contacts, and texts were leveraged to track locations or flag for Muslim keywords. It’s important to note in this campaign, targeting Muslims in China and neighboring countries, that the individuals targeted may be the intermediary target, so there’s a large surface area for spyware use.”
Michael Covington, vice president, portfolio strategy at Jamf, added that the recent analysis of commercial spyware shows that it’s no longer the domain of individual threat actors, but instead has become a sophisticated ecosystem of various parties with a shared objective of quietly breaking the hardware and software tools that so many individuals have come to rely on for daily work.
Covington said to effectively combat this growing, and already significant threat, the U.S. government will have to operate a broad-based effort to build a community focused on stopping these tools.
“Incentivizing transparency, encouraging the safe sharing of breach details, and taking steps through sanctions and legislation are all necessary components of building an effective campaign against these threat actors,” said Covington. “Much of the burden for addressing the commercial spyware market is expected to fall on the security community, as these organizations will be critical to addressing the existing vulnerabilities that are being exploited, to run triage programs, and to establish best practices for the road ahead.”