Google Reports: 80% of 0-Day Vulnerabilities in 2023 Linked to Commercial Spyware Vendors
According to Google, 80% of zero-day vulnerabilities discovered in 2023 by the Google Threat Analysis Group (TAG) were linked to commercial spyware vendors. These vulnerabilities were used to monitor various devices and their owners worldwide.
The Google TAG team tracks the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of Google products, and help secure the broader community by regularly notifying relevant parties about discovered issues.
Who Are the Targets?
Typically, spyware vendors use zero-day vulnerabilities to attack journalists, activists, and political figures on behalf of their clients, which include governments and private organizations.
Key Findings from Google’s Monitoring
- Over the past ten years, Google found that 35 out of 72 known zero-day exploits affecting its products could be linked to commercial spyware vendors.
- Google notes this is a conservative estimate, as it only includes known zero-day exploits. The actual number is likely higher due to undiscovered exploits, unknown authorship, and cases where vulnerabilities were patched before exploitation was detected.
Notable Commercial Spyware Vendors
Google’s report highlights several well-known commercial spyware vendors, including:
- Cy4Gate and RCS Lab: Italian firms known for the Epeius and Hermit spyware for Android and iOS. Cy4Gate acquired RCS Lab in 2022, but both continue to operate independently.
- Intellexa: An alliance of companies led by Tal Dilian since 2019, developing spyware such as Predator (by Cytrox) and WiSpear Wi-Fi tools, offering integrated surveillance solutions.
- Negg Group: An Italian company founded in 2013, known for Skygofree and VBiss spyware targeting mobile devices using exploit chains.
- NSO Group: An Israeli company famous for its Pegasus spyware and other advanced surveillance tools, continuing operations despite numerous sanctions and legal challenges.
- Variston: A Spanish company offering custom security solutions, working with zero-day exploit brokers and linked to the Heliconia framework, which is being developed in the UAE.
How Spyware Vendors Operate
These companies sell licenses for their products for millions of dollars, enabling clients to infect Android or iOS devices using undocumented 1-click and zero-click exploits. Some exploit chains also use n-day vulnerabilities—known bugs for which patches exist, but delays in patch distribution and installation still make them viable for attacks.
Google states that legal spyware vendors have become highly aggressive in their pursuit of zero-day vulnerabilities, developing at least 33 exploits between 2019 and 2023.
Statistics and Impact
The appendix to Google’s report lists 74 zero-day bugs used by 11 commercial spyware vendors. Most of these affect Google Chrome (24) and Android (20), followed by Apple iOS (16) and Windows (6).
The report also notes that when cybersecurity experts discover and fix such vulnerabilities, spyware creators suffer significant operational and financial losses and are forced to seek alternative infection methods.
“Every time Google and other researchers discover and report new vulnerabilities, it creates challenges for commercial spyware vendors and increases their development costs,” Google says. “When we find and patch vulnerabilities used in exploit chains, it not only protects users but also disrupts these companies’ ability to fulfill client obligations, reducing their profits and increasing their operational expenses.”
Ongoing Challenges and Google’s Call to Action
However, experts warn that these efforts are not enough to stop the spread of spyware, as demand for these tools remains high and contracts are too lucrative for developers to simply walk away.
Google urges more active measures against the spyware industry, including increased cooperation between governments, strict regulations on surveillance technology use, and diplomatic actions against countries hosting non-compliant vendors.