NetworkTigers discusses the rising threat of commercial spyware.
Over the last few years, amidst the headlines regarding data breaches and ransomware attacks, commercial spyware has become a concerning threat not just for individuals in government positions, journalism, or activism but for average citizens, politically active teachers, and even their children and relatives.
Unlike ransomware or other malware, these malicious software types are developed by private, profit-minded companies. Publicly known and generally sold to government entities and law enforcement, commercial spyware is designed for surveillance and data collection.
How does commercial spyware spread?
The aim of effective spyware is to be installed on a targeted device without the user knowing and to then remain undetected while it does anything from steal text messages and location data to eavesdrop on phone calls. To that end, attackers armed with commercial spyware take advantage of exploits and bugs, ideally those that don’t even require the user to click anything, to infect victims secretly.
Furthermore, most commercial spyware can cover its tracks by removing any evidence of its infection and presence, making it very difficult for even suspicious individuals to know if they are being watched.
Noteworthy commercial spyware types
Pegasus
Developed by Israeli cyber-arms company NSO Group, Pegasus has become one of the most infamous cyber-espionage tools, notorious for its high sophistication and ability to infect Apple devices using zero-click exploits and zero-day vulnerabilities. Pegasus is marketed as a tool that can be used to fight crime and stop terrorist attacks, but governments have been more than happy to use the software against their own citizens, journalists, those deemed to be dissidents, political opponents, and activists.
Pegasus’s former manner of entry used Apple iMessage to inject the spyware into a targeted device via an infected PDF document disguised as a GIF. While Apple swiftly remedied this exploit, NSO Group quickly recalibrated Pegasus to take advantage of a different attack chain, proving the company’s resilience and ability to adapt to obstacles.
Pegasus can read text messages, steal passwords, activate a device’s microphone and camera, and track the location of an infected device, making it an enticing tool for authoritarian governments keen on intimidating or silencing controversial individuals.
The U.S. is not an innocent bystander in the world of spyware, with Pegasus pitched to the San Diego Police Department in 2016 but declined due to its high cost. In 2019, the FBI purchased Pegasus with the intent to use it for domestic surveillance. However, investigations into Pegasus’ attacks on journalists and politicians seem to have led the FBI to reject the spyware’s application.
In March of 2023, President Joe Biden issued an executive order banning the “operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world.”
Alien and Predator
Developed by Cytrox in North Macedonia, Alien and Predator work in tandem to infect Google Chrome, Android, and iOS devices.
Alien performs the initial intrusion into the target device, paving the way for Predator which is the component designed for surveillance. Alien also functions as an updater for Predator.
Predator spreads via messages that contain malicious links. When clicked, the links send victims to a site where browser vulnerabilities are exploited for infection. They are then promptly redirected to a genuine website to make it appear as though nothing happened.
DevilsTongue and Sherlock
Another commercial spyware offering from Israel, DevilsTongue, was developed by a company called Candiru that sells its products to intelligence organizations. However, since many spyware vendors operate under various names to avoid trouble with laws or authorities, the developer may be called something else at this point.
Candiru shuns the spotlight, unlike NSO Group. Its employees are legally forbidden from speaking about their work and the company has no website.
Candiru’s DevilsTongue can infect Windows, macOS, iOS, and Android systems in many ways, from exploiting zero-day flaws to socially engineering victims, tricking them into clicking on malicious links.
For an additional cost of millions of dollars, buyers can purchase an add-on for DevilsTongue called Sherlock, which offers access to more systems and devices.
What is being done about the prevalence of commercial spyware?
The use of commercial spyware in international politics and instances of civil unrest has increased attention to the vendors that create it and the countries in which they freely operate.
According to an investigation by the Organized Crime and Corruption Reporting Project (OCCRP), conflicts between the Mexican government and a powerful teachers union may have seen dozens of teachers infected with Pegasus spyware.
Similar instances in El Salvador, Jordan, and other countries have highlighted the implications of such practical surveillance tools.
The world has taken notice, with many advocating for greater regulation of spyware. Google researchers within the company’s Threat Analysis Group have reported tracking 40 commercial spyware vendors in an amorphous and fluid environment where companies rebrand, reshape themselves, or incorporate others regularly. This strategy is standard for criminal activity clusters such as ransomware gangs or dark web marketplaces.
Threat Analysis Group also made a sobering statement about the power of commercial spyware offerings, saying, “If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over.”
While Biden’s executive order and the Department of State’s announcement of sanctions on those associated with spyware vendors and the allocation of funds to “engage in advocacy and research” around spyware deployment signal a desire to counter the “misuse” of it, it’s hard to take at face value efforts to smother the development and application of software that U.S. law enforcement has actually purchased.
It’s also worth considering how the Department of State may define a “misuse” of commercial spyware, being that the very use of it at all would seem to be the heart of the controversy. It begs the question as to what a proper use of it would be, considering that it is marketed directly to government entities to spy on private individuals.
With much of today’s power and influence coming in the form of information, it seems unlikely that the market for advanced espionage tools will show any signs of slowing down whether the entities within it have regard for human rights or not. Equally improbable is the ability of government regulators to outpace the innovation and evasion of private enterprise.
It would seem that, at least in the short term, commercial spyware will remain an arrow in the quiver of government and law enforcement agencies and a thorn in the side of human rights advocates.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
