Spyware acquired by governments is increasingly threatening civilians. While sophisticated spyware attacks may be very difficult to avoid, practicing basic internet hygiene and staying vigilant can help to minimize the risks.
In February, the Italian National Union of Journalists submitted a criminal complaint against the country’s government after it shut down questions about alleged spying in parliament.
Based on WhatsApp alerts sent to around 90 users in Europe, the union claimed that its government used Graphite spyware, created by the Israeli company Paragon Solutions, to spy on activist Luca Casarini and the country’s journalists.
The Italian government denied such allegations. However, Paragon Solutions, which was acquired by the US investment company last year, terminated the contract for breaching its terms of service, according to The Guardian sources.
NEW: @WhatsApp says Israeli mercenary spyware company #Paragon targeted scores of users around world.
undefined John Scott-Railton (@jsrailton) February 1, 2025
The infection happened with no interaction. No link to click or attachment to open.
This is called a undefinedzero-clickundefined attack.
WA says targets included journalists & members of… pic.twitter.com/TekGNMdkoF
This was just one of many examples of how spyware tools, initially intended to spy on criminals and terrorists, spun out of control, targeting civilians.
This year, Michael Casey, head of the National Counterintelligence and Security Center of the US, said that nearly 100 governments, including many authoritarian regimes, have acquired smartphone surveillance software tools.
Casey’s data suggests that the industry is growing. Between 2011 and 2023, 74 governments were contracted with commercial firms to obtain spyware or digital forensics technology, according to the US-based Carnegie Endowment think tank.
Casey also warned that spyware is increasingly accessible to cyber criminals on the black market.
8 out of 1000 Pegasus infections
The majority of governmental-level spyware either comes from Israel or is created by the country’s former intelligence services officers, followed by several European Union countries, including Italy.
The most sophisticated tools, such as Paragon’s Graphite or NSO Group’s Pegasus, are zero-click, meaning that users don’t need to press a link or take any other action for a device to get infected.
Pegasus has been deemed undetectable for many years; however, smartphone and software vendors have started notifying users about the spyware more recently. There are also publicly available tools, such as Amnesty International’s kit and iVerify’s scanning app, that allow users to scan devices and potentially detect Pegasus.
“Mobile phones are on the front lines of spyware proliferation, and so-called “zero-click” capabilities remain the hot new thing in terms of tooling. The best capabilities are built by the likes of NSO Group, Intellexa, and Paragon, although we’re seeing traditional hacking groups quickly match their prowess,” Rocky Cole, co-founder and chief operating officer at mobile security solutions provider iVerify.
He notes that architecture that makes phones very secure for the general public renders them more vulnerable to determined attackers, as it’s hard to collect enough telemetry from a modern phone to detect spyware.
iVerify claims that it had 11 Pegasus detections in December out of 18,000 tries, and all positives were in a business context.
Cole says that mobile attacks have become more frequent and are no longer restricted to high-profile targets, putting entire enterprises at risk.
“When there is a large financial transaction about to happen, that’s when the spyware comes out. We did a natural experiment last year that suggested there could be around .8 spyware infections for every 1000 mobile phones out there among the “frequently hacked” population,” he adds.
Why is it difficult to detect spyware
Aside from NSO Group and Paragon Solutions, there are dozens other spyware vendors. Last year, Google’s Threat Analysis Group identified 40 companies involved in selling and supplying security exploits and spyware services to governments.
Niranjan Jayanand from the CyberProof Threat Research Team lists Candiru, NoviSpy, Hermit, and Predator as among the most notable ones.
According to him, while spyware commonly targets activists, lawyers, and government staff, there are some signs that civilians are also being targeted more often.
This may be attributed to the increasing policy of users bringing their own devices to work, which provides a wider spectrum for threat actors to target.
Chinese hackers are notable when it comes to monitoring civilians, with EagleMsgSpy being used by local police as a lawful intercept tool.
“EagleMsgSpy appears to require physical access to a target device in order to activate the information-gathering operation. The surveillance client can be acquired through various methods, such as QR codes or via a physical device that installs it on the phone when connected to USB,” Jayanand says.
New Android spyware believed to be used by Chinese law enforcement dubbed EagleMsgSpy targets: chat app messages, SMS, call logs, screenshots, browsers, location, and more!
undefined Malcore (@Malcoreio) December 11, 2024
Read more here: https://t.co/NjTjeyd050 pic.twitter.com/KNq0xY8rDP
In addition, state-operated Chinese hackers are said to be responsible for Salt Typhoon attacks, potentially impacting millions, including those in sensitive governmental and political positions.
When asked why it is so challenging to detect spyware, Jayanand says that it often operates at the kernel level of the operating system rather than at the user level, making it hard to understand how they interact with the device.
“Some spyware uses "time bombs," activating only at a specific date and time, which makes early detection very challenging. Attackers might use false flag operations, pretending to be a known spyware operation or falsely attributing the attack to a specific government or agency, further complicating attribution and detection efforts,” Jayanand explains.
Secret nature of the industry
According to Mithilesh Ramaswamy, a senior engineer working in security at Microsoft, the main reason companies sell spyware tools is money.
“Spyware makers have found a financially lucrative market, fueled by the massive proliferation of consumer devices, which serve as the keys to our personal information kingdom. As demand grows, so does the supply, with entire spyware marketplaces emerging on the dark web,” he says.
This cycle feeds itself – more availability leads to better tools, better tools drive more demand, and the market expands further.
It is difficult to estimate the revenue and profit of spyware vendors due to the secretive nature of the industry.
NSO Group, for example, which wanted to become publicly traded, reported $243 million in revenue In 2020. However, the next year it was blacklisted by the US government back in 2021 for selling the technology to authoritarian regimes to target civilians, significantly impacting its finances and adding to financial problems.
Several publications claim that the overall spyware market was worth $12 billion in 2022-2023, quoting a New Yorker article that didn’t include the source.
Signs of spyware
What are the chances that a user’s device could be infected with spyware?
According to Cole, many people are too suspicious. They observe their phone “acting odd” and assume it must be hacked when, in reality, the phone may be just running some buggy code.
However, spyware cases among the frequently hacked population, such as governmental officials, lawyers, and activists, are rising.
And since “zero-click” attacks have no visible signs, there is little one can do to protect against them.
“But most spyware is one-click, meaning you’ll still receive a text message from someone you don’t know containing a malicious link or file. Rarely, you’ll notice that your phone’s battery drains quicker, or perhaps your internet seems suddenly slower everywhere you go,” Cole adds.
According to Ramaswamy, microphone or camera activation without any input is a clear warning that something or someone might be watching.
Jayanand adds that anomalies, such as poorly functioning features and malfunctioning security software, might also be signs that spyware is present on a device.
Although sophisticated attacks can be hard to detect, experts recommend staying secure by regularly updating the operating system and apps, installing software only from trusted sources, and avoiding unsolicited messages and emails.
Your email address will not be published. Required fields are markedmarked