Global Alliance and Tech Titans Join Forces Against Commercial Spyware Misuse

February 7, 2024

In a move to curb human rights abuses through the misuse of commercial spyware, a coalition of countries, including the U.S., U.K., and France, along with tech giants like Google, Meta, Microsoft, and MDSec, have signed a joint agreement. This initiative, known as the Pall Mall Process, seeks to tackle the uncontrolled spread and irresponsible use of commercial cyber intrusion tools by creating guiding principles and policy options for States, industry, and civil society. The declaration highlights the risks posed by the uncontrolled distribution of spyware to cyber stability, human rights, national security, and digital security.

The U.K. government stated in a press release that malicious use of these tools can allow attackers to access victims' devices, listen to calls, obtain photos, and remotely operate a camera and microphone via 'zero-click' spyware, which requires no user interaction. The National Cyber Security Centre (NCSC) estimates that thousands of individuals are targeted globally by spyware campaigns each year. Deputy Prime Minister Oliver Dowden warned that as the commercial market for these tools grows, so too will the number and severity of cyber attacks.

Notably, Israel, home to several private sector offensive actors (PSOAs) or commercial surveillance vendors (CSVs) such as Candiru, Intellexa, NSO Group, and QuaDream, did not participate in the event. Hungary, Mexico, Spain, and Thailand, which have been linked to past spyware abuses, also did not sign the pledge. This joint action coincides with the U.S. Department of State's announcement to deny visas for individuals involved with the misuse of dangerous spyware technology.

Spyware like Chrysaor and Pegasus are licensed to government customers for use in law enforcement and counterterrorism. However, they have also been routinely misused by oppressive regimes to target journalists, activists, lawyers, human rights defenders, dissidents, political opponents, and other civil society members. Such intrusions typically use zero-click (or one-click) exploits to secretly deliver the surveillanceware onto the targets' Google Android and Apple iOS devices with the intention of harvesting sensitive information.

Google's Threat Analysis Group (TAG) stated that as long as there is a demand for surveillance capabilities, there will be incentives for CSVs to continue developing and selling tools, perpetuating an industry that harms high-risk users and society at large. TAG revealed in a report this week that it is tracking about 40 commercial spyware companies that sell their products to government agencies, with 11 of them linked to the exploitation of 74 zero-days. Unknown state-sponsored actors exploited three flaws in iOS (CVE-2023-28205, CVE-2023-28206, and CVE-2023-32409) as a zero-day last year to infect victims with spyware developed by Barcelona-based Variston. These flaws were patched by Apple in April and May 2023.

Related News

• Qualcomm Reports Active Exploitation of Zero-Day Vulnerabilities in GPU, DSP Drivers
• Apple Rolls Out Urgent Security Update to Address Active Zero-Day Exploits
• Apple Patches Zero-Days Exploited to Deploy Triangulation Spyware via iMessage
• CISA Directs Government Agencies to Address iPhone Vulnerabilities Exploited in Attacks
• Apple Patches Three Actively Exploited Zero-Day Vulnerabilities

Latest News

• Chinese State Actors Deploy 'Coathanger' Malware Targeting FortiGate Devices
• Fortinet Uncovers New Unpatched Patch Bypasses in FortiSIEM
• Google Addresses Critical Remote Code Execution Vulnerability in Android
• Critical Authentication Bypass Vulnerability in TeamCity On-Premises Servers
• Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed