Feb 6, 2024 - Technology

Small spyware companies are a big problem

Illustration of a smartphone with an angry face multiplying into many smartphones.

Illustration: Brendan Lynch/Axios

The commercial spyware industry is booming, and many of the most dangerous players are small companies no one has heard of, Google warns in a report released Tuesday.

Why it matters: The Biden administration, civil rights groups and other governments have spent years trying to squash abuses of commercial spyware — yet some of those same governments are still buying into the industry.

Driving the news: Google's Threat Analysis Group (TAG) released a paper today detailing how smaller spyware vendors have started to dominate the underground market.

  • Often, media attention is given to some of the bigger players, including NSO Group and Intellexa. These are often companies that are open to talking with reporters and have been the subject of several news investigations.
  • But TAG is currently tracking roughly 40 commercial spyware vendors, many of whom have never been publicly exposed, Maddie Stone, a security researcher for Google TAG, tells Axios.

The big picture: Commercial spyware includes malware that's installed on a victim's phone and allows attackers to surveil someone's calls, emails and text conversations.

  • Some of the most insidious types of spyware can be installed on someone's phone without them even having to click on a malicious link. Just successfully delivering a text message can lead to installation.
  • Those using spyware often target high-risk groups, such as politicians, political dissidents, human rights activists and journalists.

What they're saying: "Most people on this planet don't need to be worried about them being individually hacked with these tools, yet it still affects us all," Stone tells Axios.

  • But if political figures are being targeted, Stone adds, that "calls into question free and fair elections and affects us as a society."

Between the lines: Governments worldwide have continued to buy into the commercial spyware market, despite growing efforts to crack down on vendors who sell to those abusing the technology, Stone says.

  • The paper released today is intended as a call to action for governments, the tech industry and civil rights groups to work together to make it more difficult for commercial spyware vendors to operate.

Details: Underreported vendors mentioned in the report include Cy4Gate, Negg Group and Variston.

The intrigue: 35 of the 72 hacking tools that Google researchers saw actively targeting unpatched flaws in Google's products from mid-2014 through 2023 were created by spyware vendors — making them one of the top contributors to the dark web's zero-day market, per the report.

  • That estimate is based only on known hacks targeting zero-day vulnerabilities, so it's likely that a larger percentage can be traced back to vendors, the report notes.

Be smart: Researchers and government officials have recommended that those who could be spyware targets reboot their devices frequently to remove any spyware that an attacker or government may have installed.

Go deeper