Google: Half of all zero-days used against our products are developed by spyware vendors
Google said Tuesday that it is tracking at least 40 companies involved in the creation of spyware and other hacking tools that are sold to governments and deployed against “high risk” users, including journalists, human rights defenders and dissidents.
The vendors — which have developed dozens of tools and tricks to break into phones, laptops, and other devices — have become a major thorn in the side of tech giants like Google and Apple.
In a report published by Google on Tuesday, the company called on the U.S. and other governments to take more forceful action against spyware vendors — many of which have not yet drawn headlines or outrage on a global scale.
The report came one day after U.S. Secretary of State Anthony Blinken announced new visa restrictions for people “involved in the misuse of commercial spyware.” It also came as the U.K. and France held a diplomatic conference in London to launch a new international pledge addressing the proliferation of spyware tools.
A Google spokesperson told Recorded Future News that their report and the announcements are not connected, but said the action was part of what they hoped would be several steps legislators would take to address the spyware issue.
"Until recently, a lack of accountability has enabled the spyware industry to proliferate dangerous surveillance tools around the world,” they said. “Limiting spyware vendors' ability to operate in the U.S. helps to change the incentive structure which has allowed their continued growth."
Google’s experience battling spyware vendors goes back to 2017, when they discovered NSO Group’s Chrysaor malware that targeted Android phones. Since then, the company has exposed the activities of several vendors including Variston, RCS Labs and Candiru.
Owning zero days
Much of Google’s report outlines previous disclosures on several major spyware companies like NSO Group, Candiru, Cy4Gate, DSIRF, Intellexa, Negg, PARSDefense, QuaDream, RCS Lab, Variston, WintegoSystems and others.
Google noted that these companies have now surpassed governments in developing sophisticated hacking capabilities. NSO Group, Candiru, Cytrox and Intellexa have been sanctioned by U.S. officials in recent years.
The U.S. recently sanctioned Israeli spyware maker NSO Group, as well as Candiru, Cytrox and Intellexa.
While spyware companies typically defend their work by pointing to its use in law enforcement and counterterrorism, Google said their extensive research into companies’ efforts to hack Google products shows the tools are often turned against the most vulnerable in society.
“While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader. This type of focused targeting threatens freedom of speech, a free press, and the integrity of elections worldwide,” Google said.
“As threat actors, [commercial surveillance vendors] pose a threat to Google users, as half of known 0-day exploits used against Google products, as well as Android ecosystem devices, can be attributed to [commercial surveillance vendors].”
Of the 40 vendors Google tracks, each has varying levels of public exposure and sophistication. The companies are often not just selling applications or tools to hack into devices — typically offering access to exclusive vulnerabilities in products that enable the use of spyware technology.
Companies are developing relationships with governments and offering an array of zero-day exploits — which use vulnerabilities that defenders do not yet know exist — as well as exploits for known vulnerabilities or ones that involve one or zero clicks.
In 2023, Google’s Threat Analysis Group (TAG) discovered 25 zero-days being actively exploited in the wild, 20 of which were exploited by commercial surveillance vendors.
“CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device,” the researchers said.
“Government customers who purchase the tools want to collect various types of data on their highest value targets, including passwords, SMS messages, emails, location, phone calls, and even record audio and video. In order to collect this data, CSVs often develop spyware to target mobile devices.”
The report cites research from The New York Times and Amnesty International that the spyware company Intellexa offered customers the ability to install spyware implants on 10 Android or iOS devices for €8 million. The price increases based on if the devices are within the government’s borders or in other countries. The company guaranteed maintenance of the spyware infection for one year, and committed to deploying new zero-day exploits if others are patched.
Employees would come to a government’s facilities to run the spyware operation and could offer to exfiltrate any kind of data on a device.
The problem — according to Google — is that there is now a voracious demand from governments to buy this kind of technology, meaning more vendors are likely to pop up or change their names when press scrutiny becomes too great.
Google said it is trapped in a game of whack-a-mole, where they make it difficult for spyware vendors by discovering and disclosing new vulnerabilities, forcing the companies to spend time developing new exploit chains.
Google lauded the U.S. government for issuing sanctions, urging other countries to expand these restrictions as well.
But Google added that the U.S. should also “consider ways to foster greater transparency, including setting heightened transparency requirements for the domestic surveillance industry, and setting an example to other governments by reviewing and disclosing its own historical use of these tools.”
The U.S. should also limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment, Google said.
”We urge the U.S. government to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry.”
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.