Dozens of surveillance companies are providing spyware technology used by governments around the world to spy on the mobile phones of journalists, human rights defenders, dissidents and political opponents.
Google’s Threat Analysis Group (TAG) has identified and is actively tracking up to 40 companies involved in selling security exploits and surveillance capabilities to governments with poor human rights records.
The trade extends beyond well-known spyware companies, such as Israel’s NSO Group, Italy’s Cy4Gate and Intellexa in Greece, and includes an extended supply chain of smaller companies that provide surveillance capabilities.
Google’s publication of the report coincided with a joint French and UK initiative, known as the Pall Mall Process, agreed at an international conference at Lancaster House in London, which aspires to introduce safeguards for the use of commercial spyware.
According to Google, private sector companies – known as commercial surveillance vendors (CSVs) – rather than government intelligence and law enforcement agencies, are responsible for the majority of the most sophisticated hacking and surveillance tools detected by Google’s TAG.
Out of 25 zero-day vulnerabilities – non-public security weaknesses that can allow spyware to access private data on phones or laptops – identified by Google’s researchers last year, it found 20 were being exploited by surveillance suppliers.
Google is currently tracking 40 companies involved in supplying commercial surveillance services to government, though it acknowledges it is impossible to identify or count all organisations involved in the trade.
Chilling impact on democracy and elections
The ability of governments to buy electronic spying services off the shelf shifts the risks of surveillance away from governments to the CSVs themselves and increases the likelihood that spyware will be deployed against high-risk individuals.
The report, which tells the personal stories of campaigners and activists who have been targeted by government-sponsored spyware, finds the trade in spyware has had a chilling effect on free speech and poses a threat to free and fair elections.
Last year, for example, the TAG found that surveillance tools provided by Intellexa, a Greek alliance of commercial surveillance suppliers, had exploited elections and political candidates to trap targets in Indonesia and Madagascar. The company’s Predator spyware was also used in Egypt to target opposition politicians.
Government demands for spyware have led to lucrative contracts for companies and individuals that make up the supply chains for commercial surveillance vendors, previously leaked documents quoted by Google have shown.
A document published on a cyber crime forum, for example, revealed that Intellexa offered Nova implants to a government client to infect 10 Android or iOS phones simultaneously in the host country for €8m. For a further €1.2m, clients could opt to infect phones from five additional countries outside the host country.
Most customers pay to regularly re-infect their target phones with spyware to avoid the risk of it being detected by remaining on the phone. But Intellexa also offered the option of installing persistent infections, which remain on the phone once it is shut down, for further large payments.
Other CSVs have worked with internet service providers to convince users to install fake apps to gain access to customers’ data. One campaign identified by TAG in 2021 found that victims in Italy and Kazakhstan were sent SMS messages encouraging them to download fake Vodafone apps that gave the attackers access to the content of their mobile phones.
Cat and mouse games
Google and other security researchers have disrupted the business models of commercial surveillance vendors by discovering, disclosing and patching security vulnerabilities used by spyware providers.
In April 2023, for example, Google disrupted Intellexa’s operations for 40 days after it released patches to fix zero-day vulnerabilities used by its spyware exploit. Although Intellexa developed a replacement zero-day exploit, that survived for just a week before Google fixed the vulnerability.
Apple released a patch known as BlastDoor in its iOS 14 operating system update to make it more difficult for attackers to develop zero-click exploits against its iMessage text message service. Israeli spyware group NSO found a way around the protection by delivering payloads as PDF files disguised as graphics files. Apple addressed the problem in later updates.
CSVs have continued in business despite efforts to curb their activities by governments and technology companies that have taken direct legal action against them. The NSO Group, for example, continues to operate despite sanctions from the US government and lawsuits from Meta and Apple.
Google argues that further action is needed to curb the spread of commercial surveillance technologies and urges the US government to lead a diplomatic effort with countries where commercial surveillance vendors operate, and with those governments that use their service.
27 countries back Pall Mall Process
Google, along with Meta, Microsoft and BAE Systems Digital Intelligence, are among a disparate group of 14 companies to support the Pall Mall Process, a UK and French initiative to develop safeguards and guidelines for the use of commercial surveillance services.
The Pall Mall Process, agreed during a two-day conference on 6 February 2023, which was attended by 27 countries, calls for governments and private sector organisations involved in surveillance to be held accountable if their activities are not compatible with human rights law.
The document states that surveillance capabilities should be used with “precision” to mitigate “unintended, illegal or irresponsible consequences”.
Governments and industry suppliers should carry out due diligence assessments to ensure surveillance technology is used legally and responsibly, according to the Pall Mall document, and its use should be lawful, necessary and proportionate.
The supply of surveillance capabilities, it argues, should be conducted transparently so that users and suppliers understand the supply chains involved in providing commercial surveillance and spyware.
Digital rights groups excluded
Notably absent from the supporters were a number of countries alleged to have deployed commercial spyware, including Spain, Mexico, Serbia, Egypt and Jordan. Israel, the home to NSO Group and other spyware developers, also did not attend the conference.
Digital rights groups, including Amnesty International, Big Brother Watch, and others that have campaigned against and researched spyware, also did not feature among the list of attendees.
Visiting professor and privacy specialist Ian Brown commented on X: “This process is really missing out on a huge section of stakeholders: the digital rights groups who’ve been working closely on this issue for over a decade.”
France is due to hold a follow-up conference in 2024.