Google Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications

We Keep you Connected

Google Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications

Google Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications
Your email has been sent
A new publication from Google’s Threat Analysis Group focuses on commercial surveillance vendors, whose services are bought by governments for monitoring or spying purposes. Google is currently tracking more than 40 CSVs, most of which are highly technical with the ability to develop spyware and zero-day exploits to compromise their targets, particularly on Android and iOS devices.
Read details about what CSVs target, how spyware is used, CSVs’ harmful impact on individuals and society and how businesses can mitigate these cybersecurity threats.
Commercial surveillance vendors are companies that sell full surveillance services to governmental customers; these services include spyware, infrastructure needed to communicate with the spyware sitting on compromised devices. The spyware provides backdoor access to the devices and allows monitoring and data theft.
According to Google’s Threat Analysis Group, CSVs operate openly; that is, they have websites, marketing content, sales and engineering teams, press relations and sometimes even attend conferences. Google estimates the number of CSVs worldwide is impossible to count; also, CSVs may change their names multiple times to avoid public scrutiny, often in response to exposure or direct legal actions against them.
NSO Group, one of the biggest CSVs and reported since 2015 for its operations, is still visible and active. This is the case despite the company being added to the U.S. Entity List for malicious cyber activities and legal actions have been engaged by tech companies, including Facebook and Apple.
CSV targeting is different from traditional cyberespionage operations (i.e., advanced persistent threats) in the sense that commercial surveillance vendors target individuals, not entire networks. This makes the service very valuable for someone who wants to monitor or spy on the activities of individuals, who are generally dissidents, journalists, human-rights defenders or opposition party politicians. Google wrote about such targeting previously; for example, in 2022,  five zero-day vulnerabilities affecting Android users were used by at least eight governments and used against political candidates.
SEE: Top 8 Advanced Threat Protection Tools and Software for 2024 (TechRepublic)
Spyware is malicious software installed on devices. Unnoticed by the device owner, spyware collects users’ data, sending it back to the controller (i.e., the CSV’s customer). CSVs often develop mobile devices spyware because their customers primarily want to collect SMS, messages, emails, locations, phone calls or even audio/video recordings.
To achieve the initial compromise of a device, which might be a computer or a smartphone, spyware commonly exploits software vulnerabilities. This initial phase might need user interaction, such as when the spyware uses a 1-click exploit, which requires at least one user interaction, such as clicking on a link or opening a file. Yet even more valuable are zero-click exploits, which do not require any user interaction and can be silently used to drop spyware on the target’s device.
In addition, several CSVs show very deep technical expertise and have the capability to use zero-day vulnerabilities to infect devices. If the zero-day is discovered and patched by a vendor, the CSV provides a new one to its customer.
SEE: ​​ESET Threat Report: Android SpinOk SDK Spyware’s Prevalence and More (TechRepublic)
Since spyware developed by CSVs mostly target mobile phones, they mostly use vulnerabilities on either Android or iOS operating systems or software running on it.
According to Google, CSVs are behind half of the known zero-day exploits targeting Google products such as Chrome and the Android ecosystem, which is not surprising, as CSVs mostly run spyware targeting either Android or iOS mobile phones.
From mid-2014 through 2023, 72 zero days used in the wild have been discovered by the security researchers; thirty five of these 72 exploits have been attributed to CSVs, yet it is a lower bounds estimate, as there are probably exploits not yet discovered and exploits where attribution stays unknown.
Google’s Threat Analysis Group has observed an acceleration in the discovery of zero-day exploits, including those attributed to CSVs. From 2019 to 2023, 53 zero-day exploits were discovered, and 33 of them were attributed to CSVs.
The price tags for CSVs’ services can be in the millions. For instance, in 2022, Amnesty International exposed a leaked commercial proposal from CSV Intellexa originating from the XSS.is cybercrime forum. The proposal provided the full CSV service for a year, with Android and iOS support, 10 simultaneous infected devices and more, for $8 million EUR (Figure A).
Additional CSV services can be bought. In the case of the Predator spyware, for example, adding persistence costs €3 million EUR more than the main offer. Persistence enables the customer to have the spyware stay on the phone even if it is shut down and restarted.
Traditional cyberespionage operations generally steal data from networks or computers, but less often from mobile phones, in opposition to spyware.
Here are two examples from the Google report of harm caused by CSVs:
Maria Luisa Aguilar Rodriguez, an international advocacy officer, and Santiago Aguirre, director of the Mexico city based human rights organization Centro PRODH, remember that falling for such an attack was “terrifying,” as both had been targeted by a CSV customer. Aguirre heard his own voice in the local news on the radio, as if he were in league with the local cartels. All the audio had been stolen from his mobile phone and heavily edited from different calls.
Galina Timchenko, co-founder and chief executive officer of the exiled Russian media outlet Meduza, was targeted by a CSV around February 2023. She wrote that “for weeks they had full access to my correspondence, so they could see my close circle. I was afraid for them. I was afraid for my friends, my colleagues and Meduza’s partners.” Then she realized several of the reporters who have been hacked with the Pegasus spyware have been killed, adding fear for her own safety in addition to her friends and contacts.
In addition, the use of spyware might also affect society at large. When targeting political candidates, “it threatens a society’s ability to hold free and fair elections,” wrote Google’s Threat Analysis Group.
Actors in the vulnerability research field help protect against CSVs by reporting vulnerabilities to software vendors so that zero-day vulnerabilities get patched, yet the time of reaction from the initial report to the release of the patch might take weeks or months. Every time a zero-day vulnerability is patched, it not only protects users and companies, but it also prevents CSVs from meeting their agreements with customers and prevents them from being paid, in addition to increasing their operations’ costs.
Here are the steps companies should take to reduce the risk of this security threat:
Editor’s note: TechRepublic contacted Google for additional information about this spyware research. If we receive those details, this article will be updated with that information.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Google Threat Analysis Group’s Spyware Research: How CSVs Target Devices and Applications
Your email has been sent
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE