4 min Security

Spyware industry develops most zero-days and governments promote it

Spyware industry develops most zero-days and governments promote it

Commercial spyware vendors appear to be the largest developers of zero-day vulnerabilities. Through these vulnerabilities, spyware such as Pegasus and Predator can be installed on devices worldwide. This was stated in a report by Google, in which the tech company is also calling for greater actions against the practices of the spyware industry. Governments should ban those actions, but that is hard because they themselves are buyers of the spyware.

Last year, the Threat Analysis Group (TAG) at Google closely monitored the activities of 40 commercial spyware vendors (CSVs). With the study, TAG determined that these vendors were responsible for 80 percent of the zero-day vulnerabilities found by TAG in 2023. It means that these vendors sought and exploited the vulnerability. The exploitation was aimed at spying on devices around the world.

Pegasus and Predator

In the report, TAG mentions several of these CSVs by name. They are said to include Cy4Gate, RCS Lab, Negg Group and Variston. Intellexa is also named as the developer of the Predator spyware. This spyware came into the spotlight late last year following an Amnesty International investigation. Predator was allegedly purchased by at least 25 countries and deployed to spy on U.S. and EU politicians.

Another vendor, perhaps even better known, is NSO Group. This company made plenty of headlines after the discovery of Pegasus spyware. This software came to light after Apple contacted top European officials on the possibility of spyware on their Apple devices.

Only a fraction of the reality

Commercial spyware vendors appear to have increasingly focused on zero-day vulnerabilities over the years. Over ten years, Google can attribute 35 of the 72 zero-day vulnerabilities found and exploited to these vendors.

So over a ten-year period, the percentage does not even reach 50 percent. Last year, however, it had already reached 80 percent. It seems like these commercial vendors have, mainly in recent years, scaled up their activities to find and exploit zero-day vulnerabilities.

Still, there is another possible conclusion. Namely, TAG’s study assumes the zero-day vulnerabilities found. Researchers have possibly found more such vulnerabilities in recent years.

TAG points to another problem with this note: “This is an estimate that underestimates the situation because it reflects only known zero-day exploits. The true number of zero-day exploits developed by CSVs targeting Google products is almost certainly higher when taking into account exploits used by CSVs that have not been detected by researchers, exploits whose attribution is unknown and cases where a vulnerability was patched before researchers discovered evidence of exploitation in the wild.”

Commercially too attractive

Developing and selling spyware that exploits zero-days in Android and iOS is a revenue model that is way to attractive, according to Google. Vendors could sell licenses for the spyware for millions of dollars. Discovery by TAG or other researchers ensures that a patch for the problem can be developed. However, Google said that does not put the brakes on CSVs. Vendors do find a new way to get into the devices and a way around the patch. That entails new costs to find a way around the patch again, but that amount would be nothing compared to the millions they make from license sales.

Researchers know that discovering and fixing vulnerabilities alone is not enough. Therefore, they call for more action against the spyware industry. It is suggested that governments work more closely together to establish strict guidelines for the use of spyware.

Governments buy

A solution from the EU was already set up after the Pegasus story. To this end, laws on spyware were drafted requiring governments to approve the sale of spyware. However, Predator’s discovery shows that several countries are not properly enforcing these rules. With that, the call by Google’s TAG is certainly justified.

Whether action will be taken soon, however, remains to be seen. The report further reveals that net governments are also big consumers of these spyware licenses. That will first have to change or be given clear exception rules of situations in which spyware is allowed. Only then can governments make serious rules to curb spyware. “As long as there is demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware.”

Also read: 25 countries bought European spyware to spy on EU politicians