Spyware vendors outpace state-sponsored actors in zero-day exploits


Commercial spyware vendors such as NSO Group, Intellexa, Candiru, and Cy4Gate were the most productive in discovering new exploits to target users on Android, iOS, and browsers on various machines. Google believes in expanding sanctions and restrictions on such companies.

Last year, Google observed 97 zero-day vulnerabilities exploited in the wild, over 50 percent more compared to 2022, when 62 vulnerabilities were discovered. The newly discovered zero-days number is not far from the record achieved in 2021 when 106 zero-days roamed the web.

And state-sponsored threat actors from China, North Korea, and Russia are now overshadowed by commercial companies that focus on spying.

ADVERTISEMENT

Commercial spyware vendors were behind 75% of known zero-day exploits targeting devices or products from Google and Android, and most of them were also selling spyware capabilities to government customers, according to a combined analysis by Google’s Threat Analysis Group (TAG) and Mandiant.

In total, 41.4% of all zero-day exploits were attributed to the so-called commercial surveillance vendors that sell or rent spyware. All government-sponsored cyber actors also had a 41.4% combined share, with the rest of zero-days going to financially motivated hackers.

chart-spyware

“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices. By doing so, CSVs are enabling the proliferation of dangerous hacking tools,” researchers warn.

Usually, spyware vendors offer “pay-to-play” tools that bundle exploit chains designed to bypass the defenses of selected mobile and other devices.

Government customers purchasing such tools “want to collect various types of data on their highest value targets, including passwords, SMS messages, emails, location, phone calls, and even record audio and video.”

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the report reads.

While prominent spyware vendors like NSO Group grab attention in media headlines, dozens of smaller spyware vendors operate in the shadows. Google previously urged governments around the world to expand restrictions and sanctions that previously targeted NSO Group, Candiru, and Intellexa companies.

ADVERTISEMENT

In August 2023, US President Joe Biden issued an Executive Order limiting the operational use by the US government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.

“The US government should contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the US and receive US investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use,” Google said on February 6th, 2024.

Last year, Windows OS was the most affected by the new zero-days, clocking 17 new exploits, followed by Safari browser with 11 new exploits. Google did not attribute any Windows zero-days to spyware vendors. Third place was shared by iOS and Android, which had to deal with nine new exploits each. Eight zero-days were discovered for Chrome.

Researchers did not discover any new exploits for macOS, Firefox, or Internet Explorer.

Of the 19 total in-the-wild zero-days targeting browsers, nine of the zero-days were in JavaScript engines. Google observed an increase in exploits targeting third-party components and libraries that affect more than just a single product.

Google released six recommendations with the report for individuals and organizations to improve their security posture.