Connect with us

Hi, what are you looking for?



Google Links Over 60 Zero-Days to Commercial Spyware Vendors

More than 60 of the Adobe, Google, Android, Microsoft, Mozilla and Apple zero-days that have come to light since 2016 attributed to spyware vendors. 

iOS malware

More than 60 of the Apple, Adobe, Google, Microsoft, and Mozilla product zero-day vulnerabilities that have come to light since 2016 have been attributed to commercial spyware vendors, Google said in a new report published on Tuesday.

The tech giant’s report provides insights into the operations of companies that help governments install spyware on devices. While these commercial spyware vendors claim that their products and services are only used for lawful surveillance, typically for law enforcement purposes, numerous investigations have shown that oppressive regimes are using them to target political opponents, journalists, dissidents, and human rights defenders. 

Commercial spyware vendors are prepared to pay millions of dollars for exploits that can give them full control of devices, particularly phones running Android and iOS, but these companies can also earn millions from a single customer. In addition to the spyware itself, the customer is provided the initial delivery mechanism and required exploits, command and control infrastructure, as well as tools for organizing data stolen from compromised devices.

Google’s Threat Analysis Group (TAG) currently tracks roughly 40 commercial spyware vendors that develop and sell exploits and malware to governments. 

In its latest report, Google names 11 of these vendors, including Candiru, Cy4Gate, DSIRF, Intellexa, Negg, NSO Group, PARS Defense, QuaDream, RCS Lab, Variston, and Wintego Systems.  

The company attributes more than 60 unique Android, Chrome, iOS/macOS, WhatsApp, and Firefox zero-day vulnerabilities discovered since 2016 to these companies. This list does not include the known (n-day) security flaws that spyware vendors have been observed exploiting. 

Of the 25 exploited vulnerabilities that TAG discovered in 2023, 20 were used by spyware vendors. Moreover, such firms are behind 35 of the 72 zero-days exploited against Google products since mid-2014. 

The internet giant noted that these are only the exploits that have been discovered. The actual number of exploited vulnerabilities is likely higher as there are some exploits that still have not been detected or ones that have yet to be linked to spyware vendors. 

Advertisement. Scroll to continue reading.

When Google and Apple patch zero-day vulnerabilities, their advisories inform customers about active exploitation, but they do not provide any information on the attacks or the attackers. Google’s latest report for the first time links several of these zero-day vulnerabilities to specific spyware vendors.

For instance, the iOS zero-days CVE-2023-28205 and CVE-2023-28206, for which Apple rushed to release patches in April 2023, and CVE-2023-32409, which was patched in May, have been exploited by Spanish company Variston. Exploitation of the Android vulnerability CVE-2023-33063 has now also been linked to the same spyware vendor. 

The iOS vulnerabilities tracked as CVE-2023-42916 and CVE-2023-42917, for which Apple recently warned of active exploitation, have been linked to Turkish company PARS Defense.

CVE-2023-2033 and CVE-2023-2136, Chrome flaws fixed by Google in April, and CVE-2023-3079, addressed in June, have all been attributed to Intellexa

CVE-2023-7024, the eighth zero-day patched in Chrome in 2023, has now been attributed to the NSO Group. 

When it fixed CVE-2023-5217 in September, Google warned that the Chrome vulnerability had been exploited by a spyware vendor, but did not name the company. The new report reveals that the spyware vendor is Israel-based Candiru.  

The Android vulnerabilities CVE-2023-4211, CVE-2023-33106, CVE-2023-33107 have been attributed to Italian firm Cy4Gate

The US government on Monday announced a new policy that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware. 

Related: Details Emerge on Israeli Spyware Vendor QuaDream and Its iOS Malware

Related: UK, France Host Conference to Tackle ‘Hackers for Hire’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.