Google has published a report that sheds light on the activities of spyware vendors, who are responsible for a large share of zero-day exploits in the wild. The report, which is based on the analysis of 11 zero-day vulnerabilities discovered by Google’s Project Zero team in 2020, shows that spyware vendors are exploiting these flaws to target specific individuals and organizations, often violating human rights and privacy.
According to the report, spyware vendors accounted for 50% of the zero-day exploits detected by Project Zero in 2020, up from 25% in 2019. Spyware vendors are companies that sell software or services that can secretly monitor, track, or manipulate the devices or data of their targets. These vendors typically sell their products to governments, law enforcement agencies, or corporations, who use them for various purposes, such as surveillance, espionage, or sabotage.
The report reveals that spyware vendors are exploiting zero-day vulnerabilities, which are flaws in software or hardware that are unknown to the developers or the public, and thus have no patches or fixes available. These vulnerabilities can give attackers full access to the devices or networks of their targets, and can compromise their security and privacy.
The report also shows that spyware vendors are exploiting zero-day vulnerabilities in a targeted and stealthy manner, often using phishing or watering hole attacks to deliver their malicious payloads. These attacks involve sending deceptive emails or links to the targets, or compromising legitimate websites that the targets visit, and then installing the spyware on their devices.
Spyware vendors pose a threat to human rights and cybersecurity
The report warns that spyware vendors pose a serious threat to human rights and cybersecurity, as they often operate in a legal gray area, with little or no oversight or accountability. The report cites several examples of spyware vendors that have been involved in human rights abuses, such as NSO Group, FinFisher, and Hacking Team, who have been accused of selling their products to authoritarian regimes or oppressive governments, who use them to spy on dissidents, journalists, activists, or opposition leaders.
The report also highlights the risks that spyware vendors pose to cybersecurity, as they create a market for zero-day vulnerabilities, and incentivize hackers to find and sell them, rather than report them to the developers or the public. This increases the likelihood of these vulnerabilities being exploited by malicious actors, such as cybercriminals or nation-state hackers, who can use them for more widespread or destructive attacks.
The report calls for more transparency and regulation of the spyware industry, and urges the developers and the users of software and hardware to adopt best practices to protect themselves from zero-day exploits, such as updating their systems regularly, enabling multi-factor authentication, and using antivirus software.