Google’s Threat Analysis Group (TAG) on Tuesday revealed that government hackers targeted iPhone users with zero-day vulnerabilities, especially those considered “high-risk” users, such as journalists, human rights defenders, dissidents, and opposition party politicians.
On Tuesday, Google published “Buying Spying”, an in-depth report detailing Commercial Surveillance Vendors (CSVs). In the report, the search giant has called out on the U.S. and other governments to take stricter action against spyware sales and the misuse of surveillance tools.
“These capabilities have grown the demand for spyware technology, making way for a lucrative industry used to governments and nefarious actors the ability to exploit vulnerabilities in consumer devices,” the TAG report reads.
“Though the use of spyware typically only affects a small number of human targets at a time, its wider impact ripples across society by contributing to growing threats to free speech, the free press and the integrity of elections worldwide.”
Google’s TAG, the company’s team that examines nation-backed hacking, in its report detailed how it actively tracks around 40 CSVs of varying levels of sophistication and public exposure, which are developed, sold, and deployed spyware.
It also sheds light on several government-led cyber campaigns that utilized hacking tools developed by spyware and exploit sellers, including Barcelona-based Variston, a surveillance and hacking technology start-up.
In one of the campaigns, according to Google, the government operatives took advantage of three unidentified iPhone “zero-days” vulnerabilities that were unknown to Apple at the time to exploit the Cupertino giant’s iPhone operating system. The spyware in question, developed by Variston, was analyzed twice by Google in 2022 and 2023, indicating the company’s increasing eminence in the surveillance technology sector.
Google said it discovered the unknown Variston customer using these zero-days to target iPhones in Indonesia in March 2023. The hackers delivered an SMS text message containing a malicious link infecting the target’s phone with spyware, and then redirecting the victim to a news article by the Indonesian newspaper Pikiran Rakyat. In this case, Google did not reveal the identity of Variston’s government customer.
The company specifically called out certain CSVs, including Israeli firm NSO that developed the notorious Pegasus spyware, which went on to became a global threat to human rights and human rights defenders. Other companies named in the report that develop spyware include Italian firms Cy4Gate and RCS Labs, Greek company Intellexa, and the relatively newer Italian company Negg Group and Spain’s Variston.
“We hope this report will serve as a call to action. As long as there is a demand from governments to buy commercial surveillance technology, CSVs will continue to develop and sell spyware,” the TAG report says.
“We believe it is time for government, industry and civil society to come together to change the incentive structure which has allowed these technologies to spread so widely,” the group added.