The Spyware Business Is Booming Despite Government Crackdowns

Updated The commercial spyware economy – despite government and big tech’s efforts to crack down – appears to be booming.

In addition to the major players like Pegasus developer NSO Group, and Predator maker Intellexa, Google’s Threat Analysis Group (TAG) has found “dozens of smaller” commercial surveillance vendors and tracks around 40 such organizations.

Other exploitation supply chain orgs also make money from these nefarious tools – from the initial exploit developers and suppliers on through to the spyware vendors that charge varying amounts depending on what capabilities the customer requests.

In 2023, TAG reports it uncovered 25 zero-days under active exploitation, and 20 of these were abused by commercial surveillance vendors.

“All these players enable the proliferation of dangerous tools and capabilities used by governments against individuals, which threatens the safety of the internet ecosystem and the trust on which a vibrant and inclusive digital society depends,” according to a TAG report published on Tuesday.

The safety of the internet is not the only thing at stake as a result of spyware vendors’ efforts: the report shares stories of victims such as human rights advocates and journalists whose devices were infected with Pegasus.

These tools have also been used to secure the detention of political dissidents, lawyers, journalists and activists. Some deployments of spyware have been blamed for victims’ deaths. This, despite assurances from some of the surveillance vendors that their products can only be sold to governments and used to fight terrorism and other serious crimes.

“I have yet to see any reporting on legitimate use of this software,” Cisco Talos head of outreach Nick Biasini lamented in an interview with The Register.

“That’s not to say that it doesn’t exist,” he added. “It could be used in highly classified environments so that information never sees the light of day. But the majority of the activity seems to be around dissidents, activists, reporters, lawyers and those types of victims, which implies a non-standard application of the technology.”

Government to the rescue?

Western governments are taking steps to curb this $12-billion-a-year industry. On Monday, the US announced it would impose visa restrictions on anyone involved in the abuse of commercial spyware. Presumably, this extends from the makers and suppliers all the way to end-users.

That action follows last year’s executive order banning the US government’s use of commercial spyware that presents a national security risk to America – although, as The Register pointed out at the time, the order includes big loopholes for Uncle Sam’s snoops and American-made products.

Also in 2023, the US government added commercial spyware makers Intellexa and Cytrox to its Entity List, after placing similar export restrictions on NSO Group in 2021.

On Tuesday, a group of 35 nations, led by the UK and France, signed an agreement to “tackle proliferation and irresponsible use of commercial cyber intrusion tools and services.” Tech giants including Apple, Google and Microsoft also reportedly participated, but declined to comment.

Despite these and other efforts, the spyware business “appears to be booming,” Biasini observed. “There’s a lot of growth. If you look at the offensive conferences – especially the ones in Europe that have been going on – there are just a deluge of vendors that sit in this space.”

The spyware economy

One of the “bigger trends” that Talos is tracking within the spyware economy is the “decoupling between the commercial spyware vendors and the vulnerability and exploit vendors,” Biasini added.

According to TAG, spyware users typically use exploit chains, rather than a single point of entry, to remotely drop spyware to the target’s devices. This usually includes three or four zero-days, the report indicates. The findings don’t include any pricing info for these zero-days – which tend to allow remote code execution, sandbox escape and local privilege escalation.

The TAG report does include some details on spyware vendors’ pricing models – but nothing new.

One is a widely sourced 2021 New York Times publication of a pitch document for Predator. The base price of €8 million ($8.6 million) buys the user a remote, one-click exploit chain to install spyware implants on Android and iOS devices and the ability to run ten concurrent implants. Intellexa provides project management, and a 12-month warranty on the contract.

The second is an offer for NOVA – an Intellexa Alliance combined spyware and data analysis system that was leaked on the cybercrime forum in 2022. In addition to the base price, users can buy persistence on victim devices for an extra €3 million ($3.2 million), and an additional five-country package for another €1.2 million ($1.3 million).

When asked about these pricing models, and what Talos has seen, Biasini explained the NYT story and the XXS leak are the only two data points he’s aware of. “We are basically operating on two leaked pieces of data,” he noted. “That’s all we have.”

This illustrates another part of the problem: the spyware economy remains mysterious.

“There is almost zero data being shared across the industry on this particular threat, and that is a massive problem,” Biasini worried. “If we really want to fix this, we need more eyes on this – not less. As someone who operates in the tech space, it is a Herculean effort for us to get samples to be able to analyze, and that should not be the case.”

In addition to samples of the malware itself, investigators need indicators of compromise, and hashes – things that are lacking in spyware reports. Similarly, none of the sources The Register contacted for this story could, or would, provide us with any other examples of or information about spyware pricing models.

All of this contributes to a lack of visibility, which allows the miscreants abusing surveillance tools to operate with impunity while their victims live in fear. ®

Updated to add

“The recent UK Pall Mall Process highlights a growing international alarm over the global spyware crisis,” Elina Castillo Jiménez, advocacy coordinator at the security lab at Amnesty Tech told The Register.

“While a positive step, the declaration is far short of what is needed to rein in the commercial surveillance industry. States must adopt a ban on highly intrusive spyware altogether and establish robust safeguards for any permissible use of other forms of spyware.

“International law already defines legitimate spyware applications narrowly; instead of debating this, the focus must shift to protecting individuals from unlawful surveillance. Furthermore – there is a lot that can be done by governments individually – including through ceasing to purchase products from commercial surveillance vendors, enforcing export regulations, and providing accountability for already documented victims of spyware.”