Google's Threat Analysis Group (TAG) released a report shedding light on on the rising dangers posed by the commercial surveillance industry (CSV) and its exploitation of zero-day vulnerabilities in Android and iOS devices.
The TAG team said it is currently tracking 40 CSVs actively involved in this trade, peddling sophisticated hacking tools that, while ostensibly designed for legitimate law enforcement and counterterrorism purposes, are frequently misused to erode fundamental liberties. These tools, often labeled as spyware, are deployed by governments to target individuals critical of their regimes, including dissidents, journalists, human rights activists, and opposition politicians.
According to Google TAG, CSVs represent a significant threat to Google users, with half of all known 0-day exploits targeting Google products and devices within the Android ecosystem being attributed to these entities.
Of the 72 in-the-wild zero-day exploits discovered since mid-2014, 35 zero-days have been traced to commercial spyware vendors. For example, the three iOS zero-days (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409), as well as the Android vulnerability CVE-2023-33063 have been exploited by Spain-based company Variston. The vendor has been linked to Heliconia, a spyware framework that used both 0-day and n-day exploits against Chrome, Android, iOS, Firefox, and Microsoft Defender.
Another spyware vendor, Turkish company PARS Defense, has been linked to the exploitation of the CVE-2023-42916 and CVE-2023-42917 zero-vulnerabilities affecting iOS.
The three Chrome zero-day flaws patched in 2023 (CVE-2023-2033, CVE-2023-2136 and CVE-2023-3079) have been attributed to the Greece-based Intellexa Alliance, which includes Nexa Technologies, Cytrox, WiSpear, Senpai, and other unnamed entities. Cytrox is known for its Predator spyware that targets both iOS and Android devices.
Two other Chrome zero-days, CVE-2023-7024 and CVE-2023-5217, have been attributed to the Israeli-based NSO Group and Candiru spyware makers, respectively.
The Android flaws CVE-2023-4211, CVE-2023-33106, CVE-2023-33107 have been linked to the Italian firm Cy4Gate and its Epeius spyware targeting Android and iOS systems.
“While CSVs pivot and persist in their activities, bringing public scrutiny to their actions causing disruptions, delays, and even temporary cessations to their activity. This both prevents attacks against users, and makes it harder for CSVs to advertise and sell their products,” the report said. “In addition to public scrutiny, we welcome the actions of governments to contain the proliferation of dangerous tools and capabilities which threaten the safety of the Internet ecosystem, and threatens the trust on which a vibrant and inclusive digital society depends.”
The US State Department announced on Monday a new policy aimed at targeting individuals involved in the misuse of commercial spyware. This new policy empowers the imposition of visa restrictions on those found complicit in such activities.
