



Spyware is typically used to monitor and collect data on high-risk users such as journalists, human rights activists, dissidents, and opposition politicians. These capabilities have increased demand for spyware technology and paved the way for a lucrative industry that sells the ability to exploit vulnerabilities in consumer devices to governments and nefarious actors. Although the use of spyware typically affects only a few people at a time, its far-reaching effects have been exacerbated by contributing to growing threats to free speech, freedom of the press, and election integrity around the world. It spreads throughout society.

To shed light on the spyware industry, Google Threat Analysis Group (TAG) today releases “Buying Spying,” an in-depth report containing insights on commercial surveillance vendors (CSV). TAG is actively tracking approximately 40 of his CSVs of varying levels of sophistication and exposure. This report outlines our understanding of who is involved in developing, selling, and deploying spyware, how CSV works, the types of products it develops and sells, and an analysis of recent activity. To do.

Key FindingsWhile the most prominent CSVs capture the public's attention and make headlines, there are many others that receive less attention but play an important role in the development of spyware. Spreading spyware via CSV has real-world consequences. We partnered with Google's Jigsaw division to testify to the fear they felt when these tools were used against them, the chilling effect on their professional relationships, and their determination to continue doing important work. We focused on the stories of three high-risk users. Gone are the days of claiming a monopoly on cutting-edge cyber capabilities. Today, the private sector is responsible for most of the most advanced detection tools we use. CSV poses a threat to his Google users, and Google is fully committed to stopping that threat and keeping users safe. CSV is behind half of the known zero-day exploits targeting Google products and Android ecosystem devices.Zero-day and spyware supply chain business

Private companies have been involved in discovering and selling exploits for years, but turnkey spying solutions are on the rise. CSV offers paid tools that bundle exploit chains designed to bypass security measures, along with spyware and the necessary infrastructure to collect the necessary data from targeted users. Four major groups believe it is beneficial to work together to further revitalize the industry.

Vulnerability researchers and exploit developers: Although some vulnerability researchers choose to monetize their work by improving the security of their products (contributing to bug bounty programs, Some use that knowledge to develop exploits and sell them to brokers or directly. Exploit Brokers and Suppliers: Individuals or companies located around the world who specialize in selling exploits to customers (but not always governments). Commercial Surveillance Vendor (CSV) or Private Sector Attacker (PSOA): Business-focused. Describes the development and sale of spyware as a product, including initial delivery mechanisms, exploits, command and control (C2) infrastructure, and tools for organizing collected data. Government Customers: Governments that purchase spyware from CSV and select specific targets. Campaigns that deliver spyware and then monitor spyware implants to collect and receive data from targeted devices.International efforts to combat spyware

Community efforts to raise awareness are building momentum for an international policy response. Today, we joined representatives from industry, government and civil society at the conference “The Pall Mall Process: Tackling the proliferation and irresponsible use of commercial cyber intrusion capabilities''. The event is jointly sponsored by the French and UK governments and aims to build consensus and make progress towards limiting the damage caused by this industry. These efforts build on previous government actions, including steps the U.S. government took last year to limit government use of spyware and a joint statement by 11 governments pledging similar efforts. We hope that these initial steps will be followed by more concrete actions by the broader community of nations to reform the industry and shed further light on human rights abuses.

Disrupting the spyware ecosystem to protect users

CSV proliferates hacking and spyware capabilities, making the Internet less secure for everyone. To this end, we discover and patch vulnerabilities used by his CSV, share intelligence strategies and fixes with our industry peers, and release information to the public about the operations we disrupt. Since November 2010, we have used the Vulnerability Rewards Program (VRP) to recognize the contributions of security researchers who invest their time and skills in securing digital ecosystems. Additionally, Google offers a variety of tools to protect high-risk users from online threats. While these measures will help protect users and the Internet as a whole, meaningfully shrinking this market will require collective action and a concerted international effort.

We hope that our detailed analysis and recommended solutions on CSV will support the recent momentum towards global action.

Special thanks to Aurora Blum of TAG for her contribution to this report.

