Google Publishes Report on Commercial Spyware Vendors

Google's Threat Analysis Group (TAG) has published a report on the widespread use of commercial spyware, commonly supplied by Europe-based startups for government surveillance campaigns. In one recent campaign, government-backed hackers used tools supplied by Variston, a Barcelona-based spyware vendor, to exploit 3 zero-day vulnerabilities in the iOS operating system.

As part of its research, Google TAG tracks roughly 40 commercial surveillance vendors (CSVs) who supply spyware to government entities. Among its findings, it claims that half of known 0-day exploits on Google and Android ecosystems can be traced back to CSVs.

One of the CSV startups identified by Google is the Barcelona-based startup Variston. While its public face is that of an Information Security Solutions developer, Google has found spyware developed by the company being used in exploits across various devices in 2022 and 2023.

Now, Google reported that it uncovered an incident where iPhones in Indonesia were targeted by Variston’s spyware tools in March 2023, on behalf of an unknown government customer. The exploit-chain involved sending an SMS containing a harmful link which sneakily installs spyware on the victim’s device, then redirects them to an article on the website of local Indonesian news outlet Pikiran Rakyat.

In its report, Google asserts that Variston collaborates with several other organizations to develop and deliver spyware. One of those named by Google is Protected AE, which is also led by the founders of Variston: Ralf Wegener and Ramanan Jayaraman. The report also claims Variston has growing ties with BeaconRed, a subsidiary of the state-owned UAE defense company Edge Group.

Google warns that tools developed by CSVs are proliferating and evolving at an alarming rate. The TAG report stated “While the number of users targeted by spyware is small compared to other types of cyber threat activity, the follow-on effects are much broader”.

CSVs are already being used to target individuals like journalists, activists, and political dissenters, rather than to counter crime or terrorism. If the commercial spyware industry is allowed to grow, more and more governments may use such tools to encroach on individual freedoms and to oppress their populace.