Pierluigi Paganini February 06, 2024

Google’s TAG revealed that Commercial spyware vendors (CSV) were behind most of the zero-day vulnerabilities discovered in 2023.

The latest report published by Google Threat Analysis Group (TAG), titled “Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs)”, warns of the rise of commercial spyware vendors and the risks to free speech, the free press, and the open internet.

Surveillance software is used to spy on high-risk users, including journalists, human rights defenders, dissidents and opposition party politicians.

The surveillance industry is experiencing exponential growth, fueled by the sustained demand from rogue governments, intelligence agencies, and malicious actors for sophisticated malware and surveillance tools.

Google’s TAG tracked the activity of around 40 CSVs focusing on the types of software they develop.

Google researchers pointed out that governments have lost the monopoly on the most sophisticated capabilities, and many private organizations play a significant role in developing some of the most advanced tools. In 2023, TAG identified 250 days actively exploited in the wild, 20 of which were exploited by Commercial Surveillance Vendors (CSVs). Google also reported that CSVs are responsible for half of the known 0-day exploits targeting Google products and Android devices.

Out of the 72 known in-the-wild 0-day exploits targeting Google products since mid-2014, 35 of them were used by CSVs. The experts highlighted that this is a conservative estimate because many 0-day exploits are still unknown.

“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect. In 2023, TAG discovered 250 days being actively exploited in the wild, 20 of which were exploited by CSVs.” reads the report published by Google. “Finally, CSVs pose a threat to Google users, and Google is committed to disrupting that threat and keeping our users safe. CSVs are behind half of known 0-day exploits targeting Google products, as well as Android ecosystem devices. Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to CSVs. This is a lower bounds estimate, as it reflects only known 0-day exploits where we have high confidence in attribution. The actual number of 0-days developed by CSVs is almost certainly higher, including 0-days targeting Google products.”

The report includes the names of CSVs of any size and information about their commercial spyware.

Google hopes this report will serve as a call to action. CSVs will continue to invest in the research of powerful exploits that can allow attackers to take complete control over devices.

The overall earnings generated from the sale of this surveillance software are millionaires. TAG experts also state that CSVs customers receive a full suite for their operations, including the initial delivery mechanism, necessary exploits, command and control infrastructure, and tools for managing data stolen from compromised devices.

“We believe it is time for government, industry, and civil society to come together to change the incentive structure that has allowed these technologies to spread so widely.” concludes Google.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)