The company’s Threat Analysis Group (TAG) released a report that details how 40 Commercial Surveillance Vendors (CSVs) of varying levels of sophistication and public exposure are developed, sold and deployed spyware.
“These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to sell governments and nefarious actors the ability to exploit vulnerabilities in consumer devices,” Google said in a blog post.
The company argued that despite the use of spyware typically only affects a small number of targets at a time, its wider use can have a bigger impact, contributing to growing threats to free speech, the free press and the integrity of elections worldwide.
The findings of Google’s report are significant because the company says it has some of the best visibility into hacking campaigns globally.
What Google TAG report found
Google listed four key findings which suggest that CSVs CSVs pose a threat to Google users as they exploit 0-day vulnerabilities targeting Google products and Android devices. It said that prominent CSVs garner public attention and headlines but there are dozens of others that play an important role in developing spyware and are less noticed.
The proliferation of spyware causes real world harm, Google said, adding, “We partnered with Google’s Jigsaw unit to highlight the stories of three high-risk users who attested to the fear felt when these tools were used against them, the chilling effect on their professional relationships, and their determination to continue their important work.”
The report also highlighted that it is not the governments but the private sector that is now responsible for a significant portion of the most sophisticated tools that are detected.
Names of companies that develop spyware
Google named a few companies that sell spyware to clients, including governments. These are used for national security, but the technology has been reportedly found to have been used to hack into the phones of civil society, political opposition and journalists in the last decade.
There have been instances when Israeli firm NSO’s Pegasus spyware was found on the phones of various people globally, including human rights defenders. Other companies that develop spyware include Italian firms Cy4Gate and RCS Labs, Greek company Intellexa, and the lesser-known Italian company Negg Group and Spain’s Variston.
Negg Group’s website says the company is focused on cybersecurity, but reportedly its software was found to have been used to spy on people in Italy, Malaysia and Kazakhstan. Variston made software that infected user’s devices via the browsers Google Chrome, Mozilla Firefox or iOS apps, Google said.
Here’s the full report.