More than 60 of the Apple, Adobe, Google, Microsoft, and Mozilla product zero-day vulnerabilities that have come to light since 2016 have been attributed to commercial spyware vendors, Google said in a new report published on Tuesday.
The tech giant’s report provides insights into the operations of companies that help governments install spyware on devices. While these commercial spyware vendors claim that their products and services are only used for lawful surveillance, typically for law enforcement purposes, numerous investigations have shown that oppressive regimes are using them to target political opponents, journalists, dissidents, and human rights defenders.
Commercial spyware vendors are prepared to pay millions of dollars for exploits that can give them full control of devices, particularly phones running Android and iOS, but these companies can also earn millions from a single customer. In addition to the spyware itself, the customer is provided the initial delivery mechanism and required exploits, command and control infrastructure, as well as tools for organizing data stolen from compromised devices.
Google’s Threat Analysis Group (TAG) currently tracks roughly 40 commercial spyware vendors that develop and sell exploits and malware to governments.
In its latest report, Google names 11 of these vendors, including Candiru, Cy4Gate, DSIRF, Intellexa, Negg, NSO Group, PARS Defense, QuaDream, RCS Lab, Variston, and Wintego Systems.
The company attributes more than 60 unique Android, Chrome, iOS/macOS, WhatsApp, and Firefox zero-day vulnerabilities discovered since 2016 to these companies. This list does not include the known (n-day) security flaws that spyware vendors have been observed exploiting.
Of the 25 exploited vulnerabilities that TAG discovered in 2023, 20 were used by spyware vendors. Moreover, such firms are behind 35 of the 72 zero-days exploited against Google products since mid-2014.
The internet giant noted that these are only the exploits that have been discovered. The actual number of exploited vulnerabilities is likely higher as there are some exploits that still have not been detected or ones that have yet to be linked to spyware vendors.
When Google and Apple patch zero-day vulnerabilities, their advisories inform customers about active exploitation, but they do not provide any information on the attacks or the attackers. Google’s latest report for the first time links several of these zero-day vulnerabilities to specific spyware vendors.
For instance, the iOS zero-days CVE-2023-28205 and CVE-2023-28206, for which Apple rushed to release patches in April 2023, and CVE-2023-32409, which was patched in May, have been exploited by Spanish company Variston. Exploitation of the Android vulnerability CVE-2023-33063 has now also been linked to the same spyware vendor.
The iOS vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, for which Apple recently warned of active exploitation, have been linked to Turkish company PARS Defense.
CVE-2023-2033 and CVE-2023-2136, Chrome flaws fixed by Google in April, and CVE-2023-3079, addressed in June, have all been attributed to Intellexa.
CVE-2023-7024, the eighth zero-day patched in Chrome in 2023, has now been attributed to the NSO Group.
When it fixed CVE-2023-5217 in September, Google warned that the Chrome vulnerability had been exploited by a spyware vendor, but did not name the company. The new report reveals that the spyware vendor is Israel-based Candiru.
The Android vulnerabilities CVE-2023-4211, CVE-2023-33106, CVE-2023-33107 have been attributed to Italian firm Cy4Gate.
The US government on Monday announced a new policy that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.
Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware
Related: UK, France Host Conference to Tackle ‘Hackers for Hire’