Security patches are often spotted and patched with software updates before they ever cause an issue. However, some security flaws are actively exploited by bad actors before they are caught, and these are called zero-day vulnerabilities. Many of the biggest tech companies have suffered zero-days in the last year. Now, a report from Google’s Threat Analysis Group shows that more than 60 zero-days affecting those five companies have come from commercial spyware vendors. These spyware companies often pay hackers for working exploits, and then sell them to others for greater sums.
There are many commercial spyware companies out in the wild. However, Google’s TAG tracks about 40 of them. Although the company did not name all of these spyware sellers, it did name the following 11 vendors: Candiru, Cy4Gate, DSIRF, Intellexa, Negg, NSO Group, PARS Defense, QuaDream, RCS Lab, Variston, and Wintego Systems.
To grasp how strongly commercial spyware companies cause zero-day vulnerabilities, look at these numbers. Google says that there were 25 zero-days known to have been actively explored in 2023. Within that number, 20 of them (or 80%) originated from spyware sellers. Dating back to 2016, Google’s TAG says that more than 60 zero-days affecting Apple, Adobe, Google, Microsoft, and Mozilla were caused by spyware vendors.
Plus, it’s important to remember that these numbers only represent the attacks we know of. It doesn’t include the ones we aren’t aware of yet, or the ones that these vendors might have exploited if they weren’t patched first. Put simply, a small number of spyware companies are responsible for most security issues. Google has connected a few specific zero-day flaws to spyware companies. For example, three vulnerabilities in Chrome were linked to Intellexa.
Why Google’s zero-day spyware discoveries matter
To say that these spyware vendors exist in murky legal waters would be an understatement. A lot of them claim that they act within the law. In fact, many claim to be working with law enforcement to help them with legal monitoring. However, this isn’t the entire truth. Some of these spyware companies have been caught working with governments that spy on political opponents for personal gain. Potential targets have included government workers, journalists, or protestors.
Google’s work at the Threat Analysis Group is important because we often don’t learn a lot about zero-day attacks. Since they are actively being exploited, companies put out as little information as possible about them to limit their damage. The information that does get released usually comes many months later. Now, we know that a lot of these zero-days come from a select few companies.