Commercial Spyware Used by Governments Laden With Zero-Day Exploits

Researchers from Google’s Threat Analysis Group (TAG) have discovered two separate, highly-targeted campaigns that use various, unpatched zero-day exploits against users of both iPhone and Android smartphones to deploy spyware.

The discoveries — revealed in a blog post on March 29 — are the result of active tracking that Google TAG does of commercial spyware vendors, with more than 30 of them currently on the radar screen, the researchers said. These vendors sell exploits or surveillance capabilities to state-sponsored threat actors, thus “enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house,” the researchers wrote. These are often used to target dissidents, journalists, human rights workers, and opposition-party politicians in potentially life-threatening ways, they noted.

The use of surveillance technologies is currently legal under most national or international laws, and governments have abused these laws and technologies to target individuals that don’t align with their agendas. However, since this abuse came under international scrutiny due to the revelation of governments abusing NSO Group’s Pegasus mobile spyware to target iPhone users, regulators and vendors alike have been cracking down on the production of and use of commercial spyware.

In fact, on March 28, the Biden administration issued an executive order that falls short of an outright ban on spyware, but restricts the use of commercial surveillance tools by the federal government.

Google’s findings this week show that those efforts have done little to thwart the commercial-spyware scene, and “underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” TAG researchers wrote in the post.

Specifically, the researchers discovered what they characterize as two “distinct, limited, and highly targeted” campaigns aimed at users of Android, iOS, and Chrome on mobile devices. Both use zero-day exploits and n-day exploits. Regarding the latter, the campaigns take particular advantage of the period of…