Over the last ten years, at least 80 countries have purchased commercial cyber intrusion software, or spyware. For dozens of states without a skills base, the commercial sector is almost certainly transformational, allowing cost-effective access to capability that would otherwise take decades to develop.
While products vary in capability and application, commercially available spyware for mobile devices can offer the ability to read messages, listen to audio calls, obtain photos, locate the device and remotely operate the camera and microphone. Some states are likely to procure multiple commercial cyber tools to meet their requirements. Devices can be compromised in a number of ways, including phishing, but also ‘zero-click’ attacks which do not require user interaction, making it more difficult for victims to mitigate.
While these tools have been used by states against law enforcement targets, spyware has almost certainly been used by some states in the targeting of journalists, human rights activists, political dissidents and opponents and foreign government officials. This is almost certainly happening at scale, with thousands of individuals targeted each year. While current products focus on mobile devices and intelligence gathering, as the sector grows and demand increases, products and services will likely diversify to meet demand.