Commercial surveillance technology targeting smartphones, once the province of spymasters, is now becoming widely available on the open market. It is not only high-profile individuals such as politicians who are now threatened but also business people and ordinary smartphone users.
Half of the known zero-day exploits (a previously unknown vulnerability) used against Google and Android devices can be attributed to commercial surveillance vendors (CSVs), according to a new 50-page report from Google, Buying Spying: Insights into Commercial Surveillance Vendors.
“The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices,” says Google.
While the use of Israeli-made Pegasus spyware in political struggles has been well-documented, the technology is now becoming increasingly mainstream with a growing number of CSVs offering the latest spyware to anyone who can afford it. In addition to well-known CSVs like the NSO Group, there are dozens of smaller CSVs. Google lists 40 separate CSVs worldwide.
“If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over. The private sector is now responsible for a significant portion of the most sophisticated tools we detect…As long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetrating an industry that harms high-risk users and society at large,” says Google.
Last year, the Security Lab at Amnesty International led a major global investigation into the proliferation of surveillance technologies around the world and the failure of governments and the European Union (EU) to properly regulate the industry. The Google report also catalogs a commercial offer for CSV Intellexa’s ‘Nova’, combining spyware with a data analysis system, which was leaked on a cybercrime forum. This included a detailed proposal including capabilities and pricing.
Use of spyware becoming “normalized”
For €8 million the customer receives the capability to use a remote single-click exploit chain to install spyware implants on Android and iOS devices, with the ability to run 10 concurrent spyware implants at any one time. While the Nova spyware can only run on 10 different devices concurrently, it can be switched between devices or re-infect the same device for up to 100 infections. Additional capabilities may be added for an extra cost. For an additional €1.2 million, the customer can infect phones with SIM cards from five additional countries.
The new generation of CSVs enables the proliferation of high-priced end-to-end surveillance tools used by repressive governments worldwide against key individuals such as political rivals or investigative journalists. However, there are now growing fears that the proliferation of state-of-the-art off-the-shelf surveillance capabilities means that the technology is rapidly becoming mainstream, posing a threat to smartphone users everywhere.
Politicians, high-profile business figures, and journalists already feel under threat when visiting geographies where governments routinely use commercial spyware. But, once products such as this are further distributed and developed, the cost is likely to start coming down, opening the door to widespread industrial espionage and blackmail scams.
“As government entities buy off-the-shelf capabilities from the CSV industry, the use of spyware becomes increasingly normalized,” warns Google.
