Google on Tuesday released a report on government spying on iPhones. The big tech points out that in one of the cases, countries used spyware provided by Variston to exploit three zero-day flaws. According to Google, private companies are currently the owners of the main spying tools on the market.
Big tech doesn’t reveal all the countries that carried out the spying — not least because it’s possible for an agency to hide its tracks. However, the report points to some targets. For example, in 2023, a nation used Variston’s spyware to hack into iPhones in Indonesia. And, of course, these cases can involve internal espionage — usually related to a government with more autocratic tendencies.
In the summary article, Google points out that commercial spyware vendors are a risk to users of their services. However, this statement by big tech ignores that these companies are a risk for everyone, even more so for opponents of governments.
While a country relies on budgets and time to develop spyware, buying or subscribing to ready-made software is much cheaper — basically a SaaP: Spyware as a Product. Even in a dictatorship, which can ignore budget laws, the combination of spending and time to finalize such a program or find a vulnerability may not pay off.
In this race, commercial surveillance vendors (CSV) are creating highly practical tools. As Google itself explains, spyware delivers the map of the mine. The program runs, hunts for zero-day failures and even delivers the functionalities to organize the collected data.
In its report, Google explains that these spyware companies even enter into partnerships. For example, Protected AE of the United Arab Emirates uses the infrastructure of Variston’s program, which is based in Spain, combined with its own spyware to sell to other countries.
Google says that the main targets of these programs are opponents of governments, such as journalists, activists, politicians, and dissidents (who live in other countries). Companies sell their spyware for use in anti-terrorism actions. But that’s the thing: the buyer does what he wants after he pays for the product.
The big tech lists some countries that have used the program developed by CSV Intellexa: Armenia, Ivory Coast, Egypt, Spain, Greece, Indonesia and Serbia. In the case of Egypt, Google (and even Meta) had reported in 2023 that the country used the spyware to spy on an opposition politician who intended to run for president.