Google’s Threat Analysis Group (TAG) found that in 2023, 80% of the zero-day vulnerabilities they discovered were linked to commercial spyware vendors (CSVs), which exploit these vulnerabilities to conduct surveillance on devices worldwide. Zero-day vulnerabilities are security weaknesses unknown to the software vendors or lacking available fixes.
Google’s TAG closely monitors 40 CSVs to detect exploitation attempts, safeguard users, and share crucial findings with relevant parties. Over the past decade, TAG has identified 35 of the 72 known in-the-wild zero-day exploits targeting Google products as originating from spyware vendors.
These vendors, serving clients such as governments and private organizations, often target journalists, activists, and political figures. Notable CSVs include Cy4Gate and RCS Lab, Intellexa, Negg Group, NSO Group, and Variston, known for sophisticated spyware like Pegasus and Skygofree.
CSVs sell licenses for millions of dollars, enabling customers to infect Android or iOS devices with 1-click or zero-click exploits. Some exploit chains exploit known flaws (n-days) due to patching delays, remaining exploitable for extended periods.
Between 2019 and 2023, CSVs developed 33 exploits for unknown vulnerabilities. The majority of the 74 zero-days identified by Google impact Google Chrome, Android, Apple iOS, and Windows.
Discovering and patching vulnerabilities disrupts CSV operations, impacting their revenue and development cycles. However, the demand for spyware persists, prompting Google to advocate for increased collaboration among governments, stricter surveillance technology guidelines, and diplomatic efforts against non-compliant vendors.
Google combats spyware threats through measures like Safe Browsing, Gmail security, the Advanced Protection Program (APP), Google Play Protect, and information sharing within the tech community.
