News, 02/07/2024, 12:00 PM
Commercial spyware manufacturers are behind 80% of the zero-day vulnerabilities used to spy on devices worldwide, which Google’s Threat Analysis Group (TAG) discovered last year.
Zero-day vulnerabilities are security flaws that are unknown to the makers of the affected software or for which no fixes are available.
Google’s TAG tracks the activities of 40 spyware vendors to detect exploit attempts, protect users of their products, and help protect the wider community. So Google found that 35 of the 72 known zero-day exploits affecting its products over the past ten years could be attributed to spyware makers. This estimate includes only known zero-day exploits, but the actual number of exploits developed by commercial spyware vendors targeting Google products is almost certainly higher.
Spyware makers use zero-day vulnerabilities to spy on journalists, activists and politicians at the request of their customers, which include governments and private organizations.
Spyware manufacturers listed in Google report are Italian firms Cy4Gate and RCS Lab are known for their Android and iOS spyware “Epeius” and “Hermit”, Intellexa which combines technologies such as Cytrox’s spyware “Predator” and WiSpear tools, offering integrated solutions for espionage, Italian firm Negg Group known by “Skygofree” malware and “VBiss” spyware, which targets mobile devices and NSO Group, an Israeli firm known for the famous Pegaz spyware and other sophisticated espionage tools that has continued to operate despite the sanctions and legal problems it has faced in recent years .
While the prominent manufacturers attract public attention and fill the pages of newspapers, there are dozens of others that are less noticed but play an important role in the development of spyware.
These companies sell licenses for their products for millions of dollars, offering users the ability to infect Android or iOS devices using undocumented one-click or no-click exploits.
Some of the exploitation chains use the so-called “n-days” vulnerabilities, which refers to known vulnerabilities for which fixes are available, but patch delays still make them exploitable, often for extended periods of time.
Google says spyware vendors have developed at least 33 exploits for unknown vulnerabilities between 2019 and 2023.
U Google report a list of 74 zero days used by 11 companies can be found. Of these, most affect Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
When researchers discover and software manufacturers fix exploited vulnerabilities, said firms suffer significant operational and financial damage, as they are unable to fulfill contracts with clients, which means they will not be paid. In that case, they incur additional costs while trying to find a functional alternative route of infection.
However, this is not enough to stop the development of spyware, as the demand for these tools is high and the contracts are too lucrative for manufacturers to pass up.
Google has called for action against the spyware industry, including greater cooperation between governments, the introduction of strict guidelines governing the use of surveillance technology and diplomatic efforts in countries where non-compliant manufacturers are located.
Google reminded that it proactively counters spyware threats through solutions such as Safe Browsing, Advanced Protection Program (APP) and Google Play Protect, as well as transparency and sharing information about threats with the technology community.
Photo: Dmitry Ratushny / Unsplash