Photo: Trismegist san / Shutterstock.com
The private spyware industry contributes to global spyware development and research, resulting in the proliferation of spyware into the hands of those willing to pay a price.
Google’s Threat Analysis Group (TAG) released a report dealing with the intricate and concerning landscape of the commercial surveillance industry. The findings reveal a thriving market where cutting-edge technology is sold to governments worldwide, enabling surreptitious spyware installations on individual devices by exploiting vulnerabilities in consumer applications and devices.
Most of these commercial surveillance vendors (CSVs) work openly under the garb of research purposes. The report also detailed that high-risk users such as journalists, human rights defenders, dissidents, and opposition politicians are more at risk than others.
“It was terrifying,” said human rights activist María Luisa Aguilar Rodríguez who received an Apple alert notifying her about the possibility that the government is keeping track of her activities. “We didn’t know how this happened, or what was going to happen next.”
While prominent agencies like the NSO, known for the Pegasus spyware, make the news, there are several others out there that are equally dangerous, including Cy4Gate, RCS Labs, Intellexa, Variston and Negg Group, among 40 others identified by Google.
Cy4Gate and RCS Labs
Italian Cy4Gate CSV was founded in 2014 and is known for the Epeius that threat actors have used to exploit Android several 0-day vulnerabilities, including CVE-2023-4211, CVE-2023-33106, CVE-2023-33107.
Cy4Gate CSV acquired RCS Labs in 2022, which is known for Hermit spyware. Threat actors have used this spyware against targets in the wild. Several RCS Labs tools were found to be in Kazakhstan and Italy.
Several reports came out in 2021 regarding a fake WhatsApp version, which was installed on a victim’s device for the sole purpose of collecting information. That fake app was attributed to Cy4Gate.
RCS Labs’s subsidiary, Tykelab, was found to spy on Nicaragua, Malaysia, Mali, Costa Rica, Greece, Portugal and Italy citizens.
RCS Labs also used fake applications as infection vectors for several attacks. The agency has also been in contact with various governments, including Pakistan, and offers their services.
Intellexa is an alliance of different CSVs, including Nexa Technologies, Cytrox, WiSpear, and Senpai. The United States government has banned this company.
One of the companies, Cytrox, had developed Predator spyware, which came to light when this spyware targeted Egyptian MP Ahmed Eltantaway’s mobile device.
After this revelation, Apple quickly scrambled to fix the bug.
Besides providing spyware and related tools, the companies also conduct open-source intelligence (OSINT) research to gather more information about the target.
Varison is based in Spain and is known for the Heliconia exploitation framework. Threat actors have used this malware to target Chrome, Android, iOS, Firefox and Microsft Defender.
The CSV also operates a network of other organisations to develop and distribute malware. In March 2023, it was reported that the Heliconia framework targeted citizens in the United Arab Emirates. The malware used malicious websites as the infection vector, and researchers discovered up to 10 such malicious links in the wild.
NSO Group is known for its Pegasus spyware, first discovered by Citizens Lab in 2016. Citizens in 45 countries, including India and Jordan, were targeted by this spyware.
Several journalists, such as NYT’s Ben Hubbard and Jamal Khashoggi. Even after all the controversies, NSO Group is still selling the spyware used by threat hackers to target iOS.
In December 2023, Google also discovered a zero-day vulnerability, CVE-2023-7024, that was being exploited by one of the NSO Group’s customers.
Negg Group is also based in Italy and known for Skygofree, a malware that targets Android devices. This malware was one of a kind and had features such as the ability to record audio via the microphone, see and steal WhatsApp messages via Accessibility Services and connect the victim’s device to malicious WiFi networks.
Google’s TAG observed Negg Group’s activities in Italy, Malaysia, and Kazakhstan.
This indicates a significant shift in threat actors, with the private sector now responsible for a substantial portion of the most sophisticated exploitation tools.
The private spyware industry operates smoothly through complex supply chains, helping to proliferate these tools. For the sake of simplicity, the CSV industry is divided into four categories:
- Individual vulnerability researchers: Those in the field of researching exploits often tend to monetise their efforts by partaking in several bug bounty programs.
- Exploit brokers: These CSVs sell exploits to customers at a price.
- Private Sector Offensive Actor (PSOA): These specialised and sophisticated private sector industries are involved in developing and selling the tools.
- Government customers: Perhaps the most lucrative customers of the lot. With unlimited monetary resources, governments buy these tools to target other countries or to silence democratic voices within their own.
The money to be made by selling espionage software and tools is quite handsome. The report detailed a commercial proposal from Intellxa where, at €8 million, the CSV offered a remote 1-click exploit chain to install spyware implants on Android and iOS devices, allowing customers to run 10 concurrent spyware implants at any time.
More customisation will result in a significant increase in the price of the product. The involvement of private players has significantly increased the proliferation of hacking tools.
“Surveillance tools are expensive to develop and maintain, and the CSV market allows any entity to “pay-to-play” and have a full remote surveillance capability instead of (or in addition to) developing the tools themselves,” said the report.
Furthermore, buying tools from CSVs gives additional reputational protection to the governments allowing them to target high-risk individuals freely.
Google calls for the US government to “lead a diplomatic effort to work with governments of the countries” to counter the growing menace of CSVs. Ironically, a company like Google, which has been accused time and again of collecting unauthorised data, is asking the US government, which runs one of the most sophisticated surveillance networks, to call out CSVs.