A new publication from Google’s Threat Analysis Group focuses on commercial surveillance vendors, whose services are bought by governments for monitoring or spying purposes. Google is currently tracking more than 40 CSVs, most of which are highly technical with the ability to develop spyware and zero-day exploits to compromise their targets, particularly on Android and iOS devices.

Read details about what CSVs target, how spyware is used, CSVs’ harmful impact on individuals and society and how businesses can mitigate these cybersecurity threats.

What are commercial surveillance vendors, and what do they target?

Commercial surveillance vendors are companies that sell full surveillance services to governmental customers; these services include spyware, infrastructure needed to communicate with the spyware sitting on compromised devices. The spyware provides backdoor access to the devices and allows monitoring and data theft.

According to Google’s Threat Analysis Group, CSVs operate openly; that is, they have websites, marketing content, sales and engineering teams, press relations and sometimes even attend conferences. Google estimates the number of CSVs worldwide is impossible to count; also, CSVs may change their names multiple times to avoid public scrutiny, often in response to exposure or direct legal actions against them.

NSO Group, one of the biggest CSVs and reported since 2015 for its operations, is still visible and active. This is the case despite the company being added to the U.S. Entity List for malicious cyber activities and legal actions have been engaged by tech companies, including Facebook and Apple.

What do CSVs target?

CSV targeting is different from traditional cyberespionage operations (i.e., advanced persistent threats) in the sense that commercial surveillance vendors target individuals, not entire networks. This makes the service very valuable for someone who wants to monitor or spy on the activities of individuals, who are generally dissidents, journalists, human-rights defenders or opposition party politicians. Google wrote about such targeting previously; for example, in 2022,  five zero-day vulnerabilities affecting Android users were used by at least eight governments and used against political candidates.

SEE: Top 8 Advanced Threat Protection Tools and Software for 2024 (TechRepublic)

Spyware is the primary method most CSVs use

Spyware is malicious software installed on devices. Unnoticed by the device owner, spyware collects users’ data, sending it back to the controller (i.e., the CSV’s customer). CSVs often develop mobile devices spyware because their customers primarily want to collect SMS, messages, emails, locations, phone calls or even audio/video recordings.

To achieve the initial compromise of a device, which might be a computer or a smartphone, spyware commonly exploits software vulnerabilities. This initial phase might need user interaction, such as when the spyware uses a 1-click exploit, which requires at least one user interaction, such as clicking on a link or opening a file. Yet even more valuable are zero-click exploits, which do not require any user interaction and can be silently used to drop spyware on the target’s device.

In addition, several CSVs show very deep technical expertise and have the capability to use zero-day vulnerabilities to infect devices. If the zero-day is discovered and patched by a vendor, the CSV provides a new one to its customer.

SEE: ​​ESET Threat Report: Android SpinOk SDK Spyware’s Prevalence and More (TechRepublic)

Since spyware developed by CSVs mostly target mobile phones, they mostly use vulnerabilities on either Android or iOS operating systems or software running on it.

The spyware industry’s four primary categories

  • Commercial surveillance vendors, also known as private sector offensive actors, develop and sell the spyware and its infrastructure, including the initial compromise service, the provision of working exploits and data collection tools.
  • Government customers reach the CSVs to get the service needed to achieve their surveillance goals. Those customers select their targets, craft the campaign that delivers the malware, then monitors and collects data.
  • Individual vulnerability researchers and exploit developers are the main sources for CSVs to get working exploits, particularly zero-day exploits. Some of these individuals monetize their skills legally by working as defenders and helping improve software security, while some others sell the vulnerabilities and/or the related exploits directly to CSVs or exploit brokers. Some CSVs have the internal capability of doing vulnerability research and developing related exploits.
  • Exploit brokers and suppliers are individuals or companies specialized in selling exploits. Even though some CSVs are able to develop exploits internally, they often supplement them by purchasing more exploits from third parties. Google’s researchers note that brokers can act as intermediaries between sellers, buyers, CSVs and government customers at every step of the process.

Google products are heavily targeted by CSVs

According to Google, CSVs are behind half of the known zero-day exploits targeting Google products such as Chrome and the Android ecosystem, which is not surprising, as CSVs mostly run spyware targeting either Android or iOS mobile phones.

From mid-2014 through 2023, 72 zero days used in the wild have been discovered by the security researchers; thirty five of these 72 exploits have been attributed to CSVs, yet it is a lower bounds estimate, as there are probably exploits not yet discovered and exploits where attribution stays unknown.

Google’s Threat Analysis Group has observed an acceleration in the discovery of zero-day exploits, including those attributed to CSVs. From 2019 to 2023, 53 zero-day exploits were discovered, and 33 of them were attributed to CSVs.

CSVs can cost several million USD

The price tags for CSVs’ services can be in the millions. For instance, in 2022, Amnesty International exposed a leaked commercial proposal from CSV Intellexa originating from the XSS.is cybercrime forum. The proposal provided the full CSV service for a year, with Android and iOS support, 10 simultaneous infected devices and more, for $8 million EUR (Figure A).

Leaked 2022 commercial offer from a CSV.
Figure A: Leaked 2022 commercial offer from a CSV. Image: XSS.is

Additional CSV services can be bought. In the case of the Predator spyware, for example, adding persistence costs €3 million EUR more than the main offer. Persistence enables the customer to have the spyware stay on the phone even if it is shut down and restarted.

Reported and potential harm caused by CSVs

Traditional cyberespionage operations generally steal data from networks or computers, but less often from mobile phones, in opposition to spyware.

Here are two examples from the Google report of harm caused by CSVs:

Maria Luisa Aguilar Rodriguez, an international advocacy officer, and Santiago Aguirre, director of the Mexico city based human rights organization Centro PRODH, remember that falling for such an attack was “terrifying,” as both had been targeted by a CSV customer. Aguirre heard his own voice in the local news on the radio, as if he were in league with the local cartels. All the audio had been stolen from his mobile phone and heavily edited from different calls.

Galina Timchenko, co-founder and chief executive officer of the exiled Russian media outlet Meduza, was targeted by a CSV around February 2023. She wrote that “for weeks they had full access to my correspondence, so they could see my close circle. I was afraid for them. I was afraid for my friends, my colleagues and Meduza’s partners.” Then she realized several of the reporters who have been hacked with the Pegasus spyware have been killed, adding fear for her own safety in addition to her friends and contacts.

In addition, the use of spyware might also affect society at large. When targeting political candidates, “it threatens a society’s ability to hold free and fair elections,” wrote Google’s Threat Analysis Group.

How vulnerability researchers protect against CSVs

Actors in the vulnerability research field help protect against CSVs by reporting vulnerabilities to software vendors so that zero-day vulnerabilities get patched, yet the time of reaction from the initial report to the release of the patch might take weeks or months. Every time a zero-day vulnerability is patched, it not only protects users and companies, but it also prevents CSVs from meeting their agreements with customers and prevents them from being paid, in addition to increasing their operations’ costs.

How businesses can mitigate this spyware threat

Here are the steps companies should take to reduce the risk of this security threat:

  • Implement mobile security solutions on all employees’ mobile devices.
  • Train employees to detect compromise attempts on their mobile phones, especially in the case of 1-click exploits, which require the user to click on a link or open a file. Suspicious files must only be opened in sandboxes or in environments running full host and network security solutions.
  • Deploy security patches for mobile operating systems and mobile software as soon as possible to avoid being compromised by zero-click exploits.
  • Do not store sensitive data on mobile phones, if possible.
  • Turn mobile phones off during sensitive meetings to avoid conversations being intercepted by a compromised device.

Editor’s note: TechRepublic contacted Google for additional information about this spyware research. If we receive those details, this article will be updated with that information.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday