Spyware is typically used to monitor and collect data from high-risk users like journalists, human rights defenders, dissidents and opposition party politicians. These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell governments and nefarious actors the ability to exploit vulnerabilities in consumer devices. Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.
Google’s Threat Analysis Group (TAG) has released Buying Spying, a report into Commercial Surveillance Vendors (CSVs). TAG tracks around 40 CSVs of varying levels of sophistication and public exposure. Findings:
While prominent CSVs garner public attention and headlines, there are dozens of others that are less noticed, but play an important role in developing spyware.
The proliferation of spyware by CSVs causes real world harm. We partnered with Google’s Jigsaw unit to highlight the stories of three high-risk users who attested to the fear felt when these tools were used against them, the chilling effect on their professional relationships, and their determination to continue their important work.
If governments ever claimed to have a monopoly on the most advanced cyber capabilities, that era is over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect.
CSVs pose a threat to Google users, and Google says that it’s committed to disrupting that threat and keeping users safe. CSVs are behind half of known 0-day exploits targeting Google products as well as Android ecosystem devices.
Comment
Michael Covington, VP of Strategy at Jamf, says: “Commercial spyware is not just a problem that puts national secrets at risk, it also threatens the livelihood of individuals and the business markets that society is built on. With elections in the EU and US, as well as potentially one in the UK, the need to tackle the threats posed by spyware has never been more critical.
“Previously commercial spyware was in the domain of individual threat actors; however, it has now become a sophisticated ecosystem and is more widely available to cyber criminals and nation states. The other major issue with commercial spyware is that it targets hardware and software tools which many individuals have come to rely on for daily work.
“A global effort is needed to effectively combat the growing threat of spyware. This is why it’s positive to see 35 countries, including the UK and US, launch a new international agreement to address the threat. Encouraging transparency and the safe sharing of breach details, as well as the use of sanctions and legislation will be critical to properly addressing the threat posed by spyware. However, much of the burden for addressing the commercial spyware market is expected to fall on the security community. Security organisations will be critical to addressing the existing vulnerabilities that are being exploited, run triage programmes, and establish best practices for the road ahead.”
