Spyware and zero-day exploits increasingly go hand-in-hand, researchers find

Researchers found 97 zero-days exploited in the wild in 2023; nearly two thirds of mobile and browser flaws were used by spyware firms.
A cosplayer dressed as the Star Wars character Darth Vader holds a mobile phone displaying a government alert issued to all smartphones to test a system used to warn of life-threatening emergencies at the Scarborough Sci-Fi Convention in Scarborough north-east England on April 23, 2023. (Photo by OLI SCARFF/AFP via Getty Images)

Researchers tracking the exploitation of previously undisclosed vulnerabilities found that commercial spyware firms are increasingly responsible for leveraging such zero-day flaws against mobile phones and other consumer-oriented devices, according to a report published Wednesday.

The joint report from Google’s Threat Analysis Group and Google-owned Mandiant determined that in 2023, spyware produced by commercial surveillance vendors (CSVs) were responsible for 64% of known exploited mobile and browser zero-day vulnerabilities.

“We have all seen the harms that are being caused towards society from these CSVs, and we are still seeing them playing some of the biggest roles in in-the-wild zero-days that are discovered against end-user devices,” said Maddie Stone, security engineer at Google TAG. “Overall we’re definitely seeing it on an upward trajectory on the end-user space for CSVs.”

Wednesday’s report comes against the backdrop of a Biden administration push to crack down on spyware abuses, following ever-expanding revelations about buyers using the tech to eavesdrop on U.S. government personnel overseas, journalists and activists.


The White House has banned U.S. government agencies from using spyware from using spyware that poses a threat to U.S. national security, has convinced a number of U.S. allies to pledge to use spyware responsibly and is looking to sign up additional countries to the pact. 

Wednesday’s zero-day report tallied 97 total zero-day vulnerabilities exploited “in the wild,” meaning those being used in the real world rather than discovered as part of theoretical research. Of those, 37 were mobile and browser vulnerabilities, and spyware firms were responsible for 24 of those, according to the analysis. Three-quarters of the known zero-day spyware exploits targeted Google products and Android devices and 55% targeted iOS and Safari.

“Private sector firms have been involved in discovering and selling exploits for many years, but we have observed a notable increase in exploitation driven by these actors over the past several years,” the report states. “CSVs operate with deep technical expertise to offer ‘pay-to-play’ tools that bundle an exploit chain designed to get past the defenses of a selected device, the spyware, and the necessary infrastructure, all to collect the desired data from an individual’s device.”

Spyware’s easy ability to hand all-in-one powerful surveillance tools to those who purchase it might account for the spike in numbers, but it also might point to the cybersecurity world getting better at catching wind, Stone said, noting that the report tallies the exploits the researchers have seen rather than necessarily accounting for all exploits used.

The 97 exploited zero-day vulnerabilities is a rise from 2022’s tally but short of the record of 106 in 2021. The report highlighted improvements by tech companies to fend off zero-days. 


Other findings of the report include increased targeting of third-party components and enterprise products; China continuing to be the most prolific state user of zero-day exploits; and the first known instance of reportedly Belarusian-linked espionage groups making use of zero-day vulnerabilities.

Latest Podcasts