The Rise of the Commercial Spyware Economy & How to Tackle It Proactively

In 2021, 50,000 phone numbers believed to be of interest to clients of the surveillance company NSO were leaked. They represented possible victims of its Pegasus software, revealing the scale of the spyware problem. NSO continues to face unwelcome scrutiny, but there have been no comparable high-profile revelations about this murky world. 

Spyware has certainly not gone away.  That’s clear from a new report from Google’s Threat Analysis Group, which documents the rise of a flourishing commercial spyware sector. Although only a limited number of people have been directly affected, the knock-on consequences are huge, and impact millions of people:

Spyware vendors point to their tools’ legitimate use in law enforcement and counterterrorism. However, spyware deployed against journalists, human rights defenders, dissidents, and opposition party politicians — what Google refers to as ‘high risk users’ — has been well documented, both by analysis from Google, and by researchers from organizations like the University of Toronto’s Citizen Lab and Amnesty International. While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader. This type of focused targeting threatens freedom of speech, a free press, and the integrity of elections worldwide.

The report is valuable for the detail it provides of this new threat to privacy and beyond. For example, Google points out that big names like NSO may dominate the headlines, but that there are now dozens of smaller commercial surveillance vendors. Other less well-known names mentioned in the report include Cy4Gate, RCS Lab, Intellexa, Negg Group, and Variston. All of these companies work in broadly the same way, by finding and exploiting vulnerabilities in widely used software. Google breaks down the spyware ecosystem into four main groups:

• Individual vulnerability researchers and exploit developers – one source for vulnerabilities is researchers who seek out flaws in common software 
• Exploit brokers and suppliers – individuals or companies that specialize in selling vulnerabilities
• Commercial surveillance vendors – the players that develop and sell sophisticated spyware as a product, including delivery mechanisms, exploits, command and control structures, and associated tools
• Government customers – largely national authorities that buy commercial spyware software, to use against domestic or foreign targets they wish to monitor or attack

The Google report includes information about the pricing of these spyware products. For example, a “pitch” document for Nova spyware from Intellexa was published by the New York Times in December 2022:

For €8 million [about $8.75 million] the customer receives the capability to use a remote one-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time. In this example, while the spyware can only run on 10 different devices concurrently, it can be switched between devices or re-infect the same device for up to 100 infections.

What most of these spyware systems have in common is the frequent use of “zero-day exploits.”  These are vulnerabilities that were unknown previously, making it more or less impossible to defend against them: there is no security patch for them, and antivirus programs do not yet detect them. Google’s Threat Analysis Group discovered 25 zero-days being actively exploited “in the wild,” – that is, in real-life situations – 20 of which were being used by commercial spyware vendors.  

Those zero-day exploits are not just a problem for individual, high-risk victims of spyware.  They are routinely used by both national intelligence agencies and criminals against companies and governments. They can lead to the loss of considerable amounts of personal data, with major consequences for privacy.

How to Tackle Vulnerabilities

This raises an interesting question: instead of just reacting to such powerful zero-day vulnerabilities after they emerge, is there some way to tackle them proactively in advance? That issue is addressed in a new report from the US Office of the National Cyber Director, called Back to the Building Blocks: A Path Toward Secure and Measurable Software. It suggests two key strategic approaches:

Reduce the attack surface in cyberspace that our adversaries can exploit by preventing entire classes of vulnerabilities from entering the digital ecosystem 

Anticipate systemic security risk by developing better diagnostics that measure cybersecurity quality

More specifically, the report recommends that the creators of hardware and software should as a priority reduce vulnerabilities caused by programming errors when handling computer memory.  These errors are a common source of zero-day vulnerabilities. This problem can be tackled using so-called memory-safe programming languages. 

The report also suggests more should be done to develop ways of measuring the quality and security of software. This would allow organizations to find and address areas where there are vulnerabilities – either by eliminating them before they are exploited, finding them before they are used, or reducing their impact. This “software metrology” is one of the hardest research problems to address, the report says, but a greater effort needs to be made, the authors suggest.

Spyware may seem a rather specialized threat compared to more common forms of surveillance, but its ramifications are wide, especially in two key ways. First, because the consequences of spyware on crucial aspects of society such as freedom of speech, a free press, and fair elections are serious. Second, the rise of the spyware economy encourages the wider discovery and greater use of powerful software vulnerabilities that can be turned against anyone in a wide variety of contexts. That makes proposals like those of the Office of the National Cyber Director particularly welcome for the focus on reducing the problem of software vulnerabilities in advance, rather than simply trying to deal with their consequences afterwards.