Google and Meta each recently released research reports focused on the pervasive and growing threat of mercenary spyware targeting mobile devices.
The significance of two global technology giants publicly highlighting this problem cannot be overstated. Findings in both reports confirm our long-held position that mercenary spyware is a growing security threat that can reach beyond traditional targets like journalists, activists, and politicians to infiltrate enterprises, private and public infrastructure, and the personal accounts of business leaders.
We found this data point from Google’s Threat Analysis Group (TAG) report, “Buying Spying: Insights into Commercial Surveillance Vendors,” particularly alarming:
“As threat actors, Commercial Spyware Vendors (CSVs) pose a threat to Google users, as half of known 0-day exploits used against Google products, as well as Android ecosystem devices, can be attributed to CSVs.”
- Google Threat Analysis Report, “Buying Spying” Page 1
Zero-day exploits are difficult to build and deploy, and therefore somewhat rare. However, this TAG report finding - that half of the zero days discovered on Android can be attributed to CSV’s - indicates that zero-day exploits being developed and sold today aren’t being built only to target a small market of journalists and dissidents. Rather, CSVs have found a much larger addressable market for their exploits in the Google ecosystem writ large. This should be a wake-up call for security leaders in every type of organization.
Between the Lines: What These Reports Are Really Saying about Spyware Risk
We have understood the threat of mobile mercenary spyware to businesses for some time - in fact, it’s why we founded iVerify and why we built iVerify Enterprise and Threat Hunter. We are pleased that two of the world’s largest technology companies are now publicly reporting on this threat, because it can help everyone, in every type of organization, be better prepared.
Below are our top three takeaways and insights from the reports. Where report content is bolded, emphasis has been added by our team to call out important facts. All report excerpts are attributed. We encourage everyone to read the full reports. You can find Google’s here and Meta’s here.
1. The number of CSV-deployed zero-days targeting Google products is likely underestimated.
Google’s TAG found that 20 of the 25 exploited vulnerabilities discovered in 2023 - 80 percent - were used by spyware vendors. The report authors admit the actual number is likely higher. CSVs deploying zero days is an acceleration of a trend TAG highlighted in the report:
“CSVs are behind half of known 0-day exploits targeting Google products as well as Android ecosystem devices. Of the 72 known in-the-wild 0-day exploits affecting Google products since mid-2014, TAG attributes 35 of these 0-days to CSVs. This is a lower bounds estimate, as it reflects only known 0-day exploits where we have high confidence in attribution. The actual number of 0-days developed by CSVs is almost certainly higher, including 0-days targeting Google products.”
- Google Threat Analysis Report, “Buying Spying” Page 2
Clearly, CSVs are using zero-day exploits more and more. But why? They are expensive and can be complex to deploy. We believe it’s because zero days are the ideal way to penetrate a mobile device without the user being aware, to access and exfiltrate highly sensitive data, contacts, emails, and more. Today, our most sensitive personal and corporate information is all on the phone - so that’s where the handiwork of CSV’s can be found, too. The TAG report put it this way:
Private sector firms have been involved in discovering and selling exploits for many years, but the rise of turnkey espionage solutions is a newer phenomena. CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device. Government customers who purchase the tools want to collect various types of data on their highest value targets, including passwords, SMS messages, emails, location, phone calls, and even record audio and video. In order to collect this data, CSVs develop spyware to target mobile devices.
- Google Threat Analysis Report, “Buying Spying” Page 16
2. Spyware has evolved from a government-funded espionage tool to a thriving private business.
Perhaps one of the most astounding developments, discussed in both reports, is how rapidly CSVs have adjusted their business models in response to increased government scrutiny and sanctions, and at the same time, have taken advantage of lower barriers to entry to expand their reach. As we wrote in an earlier blog, the mercenary spyware business is now valued at $12B and operates openly, using traditional business structures and processes.
But businesses need customers to survive. There simply aren’t enough activists and journalists to comprise a profitable addressable market - particularly now that there are so many CSVs in operation, competing for the same pool of targets. That’s why the trend of spyware-as-a-service is so concerning to us and should worry private sector security leaders as well; logically, CSVs are already targeting private businesses to grow their market share - particularly in China. A recent Washington Post article covering the iSoon document leak states, “China’s model of mixing state support with a profit incentive has created a large network of actors competing to exploit vulnerabilities and grow their businesses. The scale and persistence of their attacks are headaches for American technology giants like X, Microsoft and Apple, which are now locked in a constant race to outsmart the hackers.”
While China can be considered the OG of mobile espionage, today there are dozens of CSVs racing to carve out their own niche in the mercenary spyware marketplace.
The Meta Report describes the global scope and private sector reach of the threat this way:
(The report) includes findings related to eight firms from Italy, Spain and the United Arab Emirates: Cy4Gate; RCS Labs; IPS Intelligence; Variston IT; TrueL IT; Protect Electronic Systems; Negg Group; and Mollitiam Industries. They targeted iOS, Android, and Windows devices. Their various malware included capabilities to collect and access device information, location, photos and media, contacts, calendar, email, SMS, social media and messaging apps and enable microphone, camera and screenshot functionality. Their scraping, social engineering and phishing activity targeted Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch and Telegram.
- Meta 4th Quarter Adversarial Threat Report, Page 4
3. CSV Technologies and Attack Strategies Are Evolving Rapidly
Zero days are the most sophisticated and hard to defend against threats in security - but generally speaking, they aren’t discovered that often; they are the unicorns of cyberthreats. At least, that’s how it has been. As noted earlier, their use by CSVs is on the rise and researchers agree they are only seeing a small amount of the actual zero days that exist in the wild.
In response, both government policies and security tools are constantly evolving to combat the proliferation of these threats. But the mercenary spyware industry is astoundingly adaptable and has been able to stay one step ahead. For instance, CSVs and the customers that hire them have figured out they can be more successful when they only build and deploy a piece of the exploit themselves, rather than trying to execute a zero-day kill chain end-to-end. This isn’t universally true of course, but both Google and Meta thought this new approach important enough to include in their reports.
From the Meta report, under the heading “Customers Leverage Multiple Suppliers”:
By continuing to democratize access to spyware, this industry enables customers to use multiple malicious tools at once to complete the surveillance attack chain without relying on one vendor as a single point of failure. This makes it harder for any one threat research team to fully understand the activity we each see and identify who its ultimate beneficiary might be. It also makes it much more challenging for the targets to understand the fullest extent of surveillance aimed at them across the internet and hold those responsible to account, including in court.
- Meta 4th Quarter Adversarial Threat Report, Page 8
The TAG Report articulated it this way:
As in the broader software industry, CSVs have taken different approaches to be competitive in the spyware marketplace. CSVs build relationships to provide spyware to government customers, and rely on specialization, collaboration, or acquisitions to offer competitive products.
- Google Threat Analysis Report, “Buying Spying” Page 17
The authors go on to highlight CSV Intellexa to illustrate how CSVs are now working together:
Intellexa enriches their intrusion and surveillance products by combining capabilities from different arms together into an “alliance” of CSV vendors, some acquired by Intellexa as subsidiaries, and some close collaborators, each focused on a portion of developing and delivering surveillance capabilities.
- Google Threat Analysis Report, “Buying Spying” Page 18
We call attention to this trend because it demonstrates how insidious and tenacious the threat of mercenary spyware can be. CSV firms are casting bigger nets, and using better lures, to get valuable data from mobile devices. It also suggests that traditional approaches are failing to stem the tide of mobile malware. Meta more or less admits as much in their report, suggesting that because network-level security services only receive partial glimpses into the activities of these CSVs, no one provider can effectively protect users against their capabilities. A fundamentally new approach is needed, which we’ll outline in this series.
The Dangers of an “It Can’t Happen Here” Mindset
We believe that the findings in these reports support our contention that mobile devices in use by businesses and government organizations are at greater risk than ever before of a mercenary spyware attack. Threat researchers and national security agencies are becoming more aware of the problem and working hard to counter this trend, but it’s an uphill battle as spyware becomes easier to obtain:
The ability to acquire espionage capabilities off the shelf increases the likelihood of harm against users. The ability to purchase an end-to-end surveillance capability from CSVs normalizes the use of spyware against high risk users.
- Google Threat Analysis Report, “Buying Spying” Page 40
However, security leaders in private enterprise still may not fully understand how their organization is at risk. That’s why, in our next blog of this three-part series, we will share real use cases of mobile malware doing real-world harm to commercial entities. And, why existing solutions and strategies continue to fall short - an admission that was included in the Meta report:
It’s important to note that we often have only a limited view into their activity as these firms target people across many internet surfaces at once, using each service differently to enable various stages of the surveillance attack chain.
- Meta 4th Quarter Adversarial Threat Report, Page 6
In conclusion, we believe that the release of these reports signals an inflection point in the battle against mobile malware. There’s more to understand about this topic, including what industries are attacked, and how; and what existing mobile defense solutions can and can’t do to protect enterprises. Parts 2 and 3 of this series will discuss those aspects in detail.