Commercial Spyware

By Amigos IAS

Why is it in the news?

  • Recently, former Egyptian MP was targeted with Cytrox’s Predator spyware, delivered via links on SMS and WhatsApp.
  • Apple released an update to fix the bug used in the attack on MP’s device.


About the Spyware

History of spyware use against political opponents

  • The Pegasus Project in 2021 revealed widespread use of spyware targeting more than 50,000 phone numbers in 50 countries.
  • Spyware attacks have been reported in countries including India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE.
  • Spyware, such as Pegasus, was used to target journalist Jamal Khashoggi’s wife before his murder in the Saudi consulate in Istanbul.



Definition of spyware and commercial spyware

  • Spyware is malicious software that infiltrates a device, gathers sensitive data, and transmits it to a third party without the user’s consent.
  • Commercial spyware is used by governments and law enforcement agencies for legal investigations but has been exploited by authoritarian governments against political opponents.
  • Commercial spyware like Pegasus can access and control a device’s camera and microphone without the user’s knowledge.


Methods of targeting devices

  • Spyware can be delivered through malicious links, SMS messages, or network injections.
  • Zero-day vulnerabilities, even unknown to device manufacturers, are often exploited to deliver spyware.
  • Spyware is capable of zero-click attacks, infecting devices without user interaction.
  • Between 2011 and 2023, at least 74 governments contracted with commercial firms for spyware or digital forensics technology.
  • Autocratic regimes are more likely to procure targeted surveillance technologies.
  • Various governments and agencies have been reported to use spyware, including India, the U.S., Mexico, the UAE, and Saudi Arabia.


Challenges and backlash against spyware firms

  • Inconsistencies in democratic governments’ responses and regulatory fragmentation enable spyware use.
  • The Pegasus Project led to the blacklisting of the NSO Group by the U.S., but other companies have filled the gap.
  • Germany’s FinFisher and Italy’s Hacking Team were dominant players in the spyware market prior to Pegasus.
  • Israel is the leading exporter of spyware, but concerns about human rights have not been adequately addressed in export licensing.


Tech Companies’ Responses

  • Tech giants like Meta, Google, and Apple have taken steps to address spyware threats.
  • Apple and Google have released updates to fix spyware-exploited software bugs.
  • Apple introduced “Lockdown Mode” for high-risk individuals to protect against spyware attacks.
  • WhatsApp pursued a lawsuit against NSO Group for exploiting its software, seeking an injunction and damages.
  • The current U.S. administration has supported the lawsuit against NSO Group.


Recent steps taken in India
  • Cyber Surakshit Bharat Initiative (2018): Spreads awareness about cybercrime and enhances the cybersecurity capacity of Chief Information Security Officers (CISOs) and IT staff in government departments.
  • National Cybersecurity Coordination Centre (NCCC) (2017): Monitors internet traffic and communication metadata to detect real-time cyber threats.
  • Cyber Swachhta Kendra (2017): A platform for users to clean their computers and devices from viruses and malware.
  • Indian Cyber Crime Coordination Centre (I4C): Recently inaugurated by the government.
  • National Cyber Crime Reporting Portal: Launched pan India to report cybercrimes.
  • Computer Emergency Response Team – India (CERT-IN): The nodal agency dealing with cybersecurity threats like hacking and phishing.
  • Information Technology Act, 2000.
  • Personal Data Protection Bill, 2019.


International Mechanisms

  • International Telecommunication Union (ITU): A specialized agency within the United Nations focusing on standardization and development of telecommunications and cybersecurity issues.
  • Budapest Convention on Cybercrime: An international treaty addressing Internet and computer crime by harmonizing national laws and promoting cooperation among nations (India is not a signatory).


Types of Cyber Attacks
  • Malware: Includes ransomware, spyware, worms, viruses, and Trojans, designed to cause harm to computers, servers, or networks.
  • Phishing: Involves deceptive emails and websites to gather personal information.
  • Denial of Service (DoS) Attacks: Aim to make a machine or network inaccessible by overwhelming it with traffic or causing a crash.
  • Man-in-the-Middle (MitM) Attacks: Attackers insert themselves into two-party transactions to intercept and steal data.
  • SQL Injection: Targets servers with malicious code to retrieve unauthorized information from databases.
  • Cross-Site Scripting (XSS): Injects malicious code into websites, affecting users’ browsers when they visit the attacked site.
  • Social Engineering: Manipulates human interactions to trick users into compromising security procedures and revealing sensitive information.

Signup for newsletter

Receive notifications straight into your inbox

Leave a comment