Spyware vendors behind 75% of zero-days targeting Google

Commercial spyware vendors made a major impact on the threat landscape in 2023. A new Google report found that such entities were behind 75% of known zero-day exploits targeting Google products and Android devices last year.

This finding came from a report titled "We're All in this Together: A Year in Review of Zero-Days Exploited In-the-Wild in 2023," published Wednesday by Google's Threat Analysis Group (TAG) and Mandiant. The report covers findings and observations made by Google researchers related to zero-day vulnerabilities and exploits in 2023.

Google observed 97 zero-day vulnerabilities exploited in the wild last year, a steep increase from 2022 with 62 vulnerabilities exploited but not as high as 2021, which saw 106 vulnerabilities. Maddie Stone, Google TAG security engineer and co-author of the report, told TechTarget Editorial the totals are influenced by both positive and negative security factors.

"In 2023, we saw these attackers were forced to switch back to zero-days. We also saw both researchers and vendors discovering and disclosing in-the-wild zero-days more quickly and often, further increasing the volume in 2023," she said. "However, we saw a wider variety of products being targeted in 2023, especially in the enterprise space. This is good for security because attackers have to use more zero-day exploits to achieve their goals but also increases the attack surface of victims as more vendors and technologies are now at risk of exploitation than ever before."

One of the more notable points of the report involved commercial surveillance vendors (CSVs), which are companies that sell spyware to entities such as governments; well-known examples of these include NSO Group, Intellexa and Cy4Gate. Although Google put the spotlight on commercial spyware vendors in another Google TAG report last month, Tuesday's research provides additional context regarding their activity.

According to the report, 75% of all known zero-day exploits targeting Google products and the Android ecosystem (13 out of 17) and 55% of all iOS and Safari zero-days (11 out of 20) came from CSVs. Meanwhile, of the 37 zero-day flaws Google tracked affecting browsers and mobile devices, over 60% were attributed to spyware vendors.

"The commercial surveillance industry has emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals' devices," the report read. "By doing so, CSVs are enabling the proliferation of dangerous hacking tools."

Asked whether CSVs should be viewed as legitimate commercial enterprises or as threat actors, Stone said the latter.

"CSVs offer turn-key espionage solutions, bundling an exploit chain designed to get past security measures with the spyware and necessary infrastructure," she said. "CSVs are enabling the proliferation of dangerous hacking tools and the harm these tools have caused has been well-documented. As threat actors, CSVs pose a threat to Google users, as more than half of the known in-the-wild zero-days targeting Google products in 2023 can be attributed to CSVs."

As for other threat actors, Google said the Chinese nation-state cyber espionage groups were behind the exploitation of 12 zero-days in 2023, up from nine zero days the previous year. Financially motivated threat actors, meanwhile, were responsible for 10 zero-day exploitations in 2023, which marked a slight decrease from the year before.