Spyware is commonly used to gather data from individuals like journalists, activists, and political figures. The demand for spyware technology has created a profitable industry that sells the ability to exploit weaknesses in consumer devices to governments and malicious actors. While spyware typically targets a small number of individuals, its broader impact contributes to growing threats to freedom of speech, press, and fair elections worldwide.
To shed light on the spyware industry, Google’s Threat Analysis Group (TAG) is releasing “Buying Spying,” a detailed report on Commercial Surveillance Vendors (CSVs). The report provides insights into around 40 CSVs, their roles in developing and selling spyware, the products they offer, and recent activity analysis.
Key findings
- Hidden CSVs: While some CSVs receive public attention, many others operate quietly but play a significant role in spyware development.
- Real-world impact: The proliferation of spyware by CSVs has caused harm to high-risk individuals, as highlighted by Google’s Jigsaw unit, impacting their work and professional relationships.
- Private sector dominance: The private sector now develops a significant portion of advanced cyber tools, challenging governments’ monopoly on these capabilities.
- Threat to Google users: CSVs are responsible for half of known 0-day exploits targeting Google products and Android devices.
The business of 0-days and spyware supply chain
The spyware industry involves four primary groups working together: vulnerability researchers and exploit developers, exploit brokers and suppliers, Commercial Surveillance Vendors (CSVs) or Private Sector Offensive Actors (PSOAs), and government customers.
International efforts to combat spyware
Community efforts and governmental actions aim to build consensus and limit the harms caused by the commercial spyware industry. Countries like the US and a coalition of eleven governments have taken initial steps to counter the industry’s misuse and proliferation.
Disrupting the spyware ecosystem to protect users
Google is committed to discovering and patching vulnerabilities used by CSVs, sharing intelligence with industry peers, and releasing information about disrupted operations. The company also offers tools to protect high-risk users from online threats. However, curbing this market will require collective action and international collaboration.
Google’s detailed analysis on CSVs and proposed solutions aims to support global efforts to address the industry’s challenges.
Special thanks to TAG’s Aurora Blum for her contribution to this report.