|

The Business of Spyware: Inside the Booming Market for Digital Surveillance (Pegasus and Beyond)

ByInnoVirtuoso

If the word “spyware” makes you think of shady hackers in dark basements, think bigger. Today, surveillance software is a global business with slick sales decks, customer support, and seven-figure contracts. It’s marketed to governments as a tool to fight crime and terrorism. It’s also been used to target journalists, activists, political opponents, and everyday citizens. That’s the tension at the heart of the spyware economy—and why understanding it matters to everyone who uses a phone.

In this deep dive, we’ll unpack how spyware is designed, who sells it, who buys it, and why it’s become one of the most consequential—and controversial—industries in cybersecurity. We’ll also look at what’s being done to rein it in, and what you can do to protect yourself.

Let’s pull back the curtain.

What Is Spyware—And Why It’s More Than “Just Malware”

Spyware is software that secretly monitors a device and exfiltrates data to a third party. That can mean reading messages, recording calls, tracking location, activating cameras or microphones, and pulling data from apps you trust.

But there’s an important distinction:

  • Consumer-grade spyware: Often called “stalkerware,” this category targets individuals, usually by someone they know. It’s illegal in many places and widely condemned by security experts.
  • Commercial/government-grade spyware: Often called “mercenary spyware,” this is sold by private companies to governments and their intermediaries. It uses advanced exploits to compromise devices, sometimes without any user interaction at all.

The second category is where the real power—and controversy—sits. Think Pegasus by NSO Group, Predator by Cytrox, and tools from companies like FinFisher, Hacking Team (now Memento Labs), and Candiru. These products are marketed for lawful intercept and national security. Yet numerous investigations show they have also been deployed against civil society and political targets around the world.

Here’s why that matters: when a tool can silently take over your phone, encryption doesn’t help. The spyware reads messages before they’re encrypted and after they’re decrypted. That shifts the security battle from “protect the message” to “protect the device,” a much harder job.

How Spyware Gets Built: The Value Chain Behind Surveillance Tools

Spyware isn’t a single piece of code. It’s a whole stack of R&D, infrastructure, and services. Think of it like a covert SaaS company with a very different customer value proposition.

1) Exploit discovery and weaponization

To get in, spyware often relies on software flaws—vulnerabilities in operating systems like iOS or Android or in apps like iMessage and WhatsApp. The most prized are:

  • Zero-day vulnerabilities: Flaws unknown to the vendor. These are expensive and rare.
  • Zero-click exploits: Attacks that require no action from the target. A maliciously crafted message can trigger the exploit the moment it’s received.

Security researchers at Google Project Zero have analyzed sophisticated zero-click chains used in the wild against popular platforms, including those attributed to NSO Group. Their deep dive is a sobering read on how far attackers will go to gain access to a phone’s core processes and memory protections. Read Project Zero’s analysis.

2) Delivery mechanisms

Once a vendor has an exploit, it needs a delivery method. Common tactics include:

  • Zero-click delivery via messaging services.
  • One-click spear-phishing links sent by SMS, email, or social.
  • Network injection on compromised or manipulated mobile networks.
  • Physical access for “forensic” style toolkits used in custody.

Each path balances stealth, reliability, and cost. Zero-clicks are powerful but fragile; one software update can break them. Phishing is cheaper but less reliable against a careful target.

3) Post-exploitation modules

After gaining access, the spyware installs surveillance modules. These can:

  • Capture messages and call logs
  • Read email and files
  • Track location
  • Activate microphone and camera
  • Pull tokens to access cloud services

The goal is quiet, persistent access. The best kits hide well and adjust to changing defenses.

4) Command-and-control (C2) infrastructure

Data must leave the device without raising alarms. Vendors set up sprawling server networks, often with layers of proxies and rapidly changing domains. The infrastructure alone can look like a full-blown cloud operation.

Investigative groups like the Citizen Lab have spent years mapping these networks and attributing campaigns to specific customers and regions based on targeting patterns. Explore Citizen Lab’s spyware research.

5) Services, support, and training

This is where the “business” in spyware becomes clear. Vendors offer:

  • Licensing by number of targets or geography
  • Customer success and technical support
  • Analyst training and operational guidance
  • Updates and maintenance as platforms evolve

If it sounds like enterprise software, that’s because it is—just with far higher stakes.

Who Sells Spyware—and Who Buys It

The supply side includes a relatively small but influential set of companies, often structured with holding firms and subsidiaries across multiple countries.

  • NSO Group (Israel): Maker of Pegasus, arguably the most infamous modern spyware. Overview in The New York Times.
  • Candiru (Israel): Linked to targeted operations against civil society. U.S. Commerce Department listing.
  • Cytrox (North Macedonia/Madagascar): Maker of Predator, reportedly part of the Intellexa alliance.
  • FinFisher/Gamma Group (Europe): Longtime supplier of “lawful intercept” tools.
  • Hacking Team/Memento Labs (Italy): Known for earlier generation remote control system (RCS) tools.

On the demand side, customers typically include:

  • Law enforcement agencies seeking targeted surveillance in criminal cases.
  • Intelligence and defense services conducting counterterrorism or counterintelligence.
  • Governments—both democratic and authoritarian—pursuing political control.

Here’s where the ethics get thorny: the same capability that can help catch a kidnapper can also silence a dissident. Without strict oversight, clear legal standards, and transparent accountability, abuse becomes almost inevitable.

Case Study: Pegasus and the Fallout That Reshaped the Industry

In 2021, a consortium of journalists led by Forbidden Stories, with technical analysis by Amnesty International’s Security Lab and attribution work by the Citizen Lab, revealed widespread misuse of NSO’s Pegasus spyware. The “Pegasus Project” reported that phone numbers linked to journalists, activists, politicians, and business leaders appeared on lists associated with potential targeting. Forensic checks found traces of compromise on many devices.

The global reaction was swift:

Regardless of a vendor’s intent or contractual language, the findings showed a simple truth: powerful surveillance tools tend to get misused without robust checks.

Pricing and Business Models: How Surveillance Gets Packaged and Sold

Commercial spyware is big-ticket software. Public reporting suggests contracts can reach into the millions, with fees for:

  • Licensing: Often tied to a number of simultaneous targets, features, or regions.
  • Setup and integration: Deployment, infrastructure, and connectivity.
  • Maintenance and updates: Ongoing support, patching, and new exploit chains.
  • Training: Analyst education and operational best practices.

Pricing varies widely by vendor, capability, and buyer. While exact figures are closely guarded, media investigations and leaked documents over the years point to a market where a single “package” can cost as much as a regional policing budget. It’s a stark reminder: this is a commercial ecosystem with incentives to sell more capability to more buyers.

The Legal, Ethical, and Political Fault Lines

Spyware vendors argue they provide lawful tools used under court order to fight crime. Critics counter that many countries lack independent judiciaries, and even in democracies, oversight can be opaque.

Key fault lines include:

  • Export controls: The Wassenaar Arrangement places controls on the export of “intrusion software,” but enforcement and scope vary by country. Learn more
  • Blacklisting and sanctions: The U.S. Entity List move signaled a new era of consequences for vendors tied to human rights abuses.
  • Lawsuits and platform countermeasures: Apple and Meta-owned WhatsApp are pursuing legal remedies. Platform vendors also patch vulnerabilities and harden defenses, but they’re playing catch-up in a fast-moving arms race.
  • Human rights standards: The UN High Commissioner for Human Rights called for a moratorium on certain spyware sales and transfers until adequate safeguards are in place. UN statement

Here’s the ethical heart of the debate: Is it possible to build and sell “lawful intercept” tools that won’t get abused? And if the answer is “not reliably,” what should the world do next?

Why Spyware Is One of the Most Dangerous Businesses in Cybersecurity

Three reasons stand out.

1) It targets people, not just systems
Spyware reaches into the most private parts of our lives—conversations with loved ones, medical records, legal counsel, sources, and political organizing. The chilling effect is real. Journalists may avoid certain stories. Activists may quit. Opponents may self-censor. That undermines democratic life.

2) It bypasses encryption by design
End-to-end encryption is vital, but spyware sidesteps it by capturing data on the device itself. That negates one of the most important protections for privacy and free expression.

3) It’s asymmetric and opaque
A small number of vendors, armed with elite exploit talent, can surveil at scale against targets who often have no way to detect compromise. Independent verification is hard, and victims may never get proof. The power imbalance is stark.

How the Industry Defends Itself—and Where Those Arguments Fall Short

Vendors often make four core claims:

  • “We sell only to vetted governments.”
    But decisions about who is “vetted” are often opaque, and vendor compliance programs can be weak or politicized. A change in government can flip a country from rights-respecting to repressive overnight.
  • “We require lawful use.”
    In practice, “lawful” depends on the legal system. If courts aren’t independent, warrants can be rubber-stamped. Even in democracies, surveillance law can lag behind technology.
  • “Abuses are rare and punished.”
    Investigations have found repeated patterns of abuse across regions and regimes. Responses vary, and remedies for victims are limited.
  • “Our tools save lives.”
    They may, in some cases. But the same tools can end lives by exposing sources and networks. The absence of transparent, independent audits makes the life-saving claim hard to verify.

What’s Being Done: Policy, Lawsuits, and Platform Defenses

Progress is slow but real. You can think of the response in three tracks.

1) Policy and regulation
– Export controls tightened in some jurisdictions.
– Procurement bans or restrictions by allied governments.
– Public inquiries (like the EU’s PEGA committee) and national reviews.
– Calls for moratoria until robust safeguards exist. UN call

2) Litigation and accountability
– WhatsApp and Apple lawsuits seek to limit vendors’ reach and establish legal precedents. Apple’s suit
– Journalists and NGOs document abuses, enabling sanctions or procurement bans. Citizen Lab reporting

3) Technical countermeasures
– Rapid patching of vulnerabilities by Apple, Google, and others.
– Security features like Apple’s Lockdown Mode to reduce the attack surface for high-risk users. Apple Lockdown Mode
– Threat notifications from platform vendors when targeted attacks are suspected.
– Independent forensic tooling and methods to detect traces of infection on devices, especially for at-risk communities. Amnesty Security Lab

None of these is a silver bullet. But together, they raise costs for attackers, reduce opportunities, and increase the consequences of abuse.

What You Can Do: Practical Steps for Individuals and Organizations

You can’t “patch” geopolitics, but you can reduce risk. These tips focus on defense and good hygiene—no technical heroics required.

  • Keep devices up to date. Enable automatic updates for your OS and apps. Many exploits vanish after patches.
  • Use built-in protections. On iOS, consider Lockdown Mode if you’re at elevated risk. Review app permissions and disable what you don’t need.
  • Be cautious with links and attachments. Phishing is still common. Verify unexpected messages, even from known contacts.
  • Segment your work. Don’t mix sensitive work and personal accounts on the same device if you can avoid it.
  • Plan for incidents. High-risk organizations should have a digital security policy, a response plan, and a trusted security partner.
  • Seek expert help if targeted. Groups like Access Now run a Digital Security Helpline for civil society. Access Now Helpline
  • Learn the basics. EFF’s Surveillance Self-Defense offers practical guides tailored to different risk profiles. EFF SSD

Let me be clear: even with great hygiene, a well-resourced attacker may still get in. But each step narrows their options and increases your chance of catching issues early.

The Road Ahead: Trends to Watch

The spyware business isn’t going away. But it is changing fast. Watch for:

  • Fewer remote zero-clicks, more social engineering: Platform hardening is real. That pushes attackers toward human error and physical access where possible.
  • More platform-level protections: Expect hardened messaging pipelines, memory safety gains, and security features aimed at high-risk users.
  • Consolidation and rebranding: As scrutiny grows, companies may shut down, spin out, or relabel to evade reputational damage.
  • Coordinated policy responses: Regional alliances may develop shared procurement bans, transparency rules, and sanctions frameworks.
  • Lawsuits that set precedent: Court decisions on sovereign immunity claims and platform protections will shape the market.
  • Community-driven detection: NGOs and labs will continue to expose campaigns, raising costs for vendors and buyers.

Here’s the hopeful part: sunlight works. Every credible report, patch, and court ruling makes abuse riskier and more expensive. That’s how norms change.

Bottom Line: A Market Too Powerful to Ignore

Spyware has outgrown the shadows. It’s a professionalized, global industry selling access to the most intimate parts of our digital lives. Used properly, it can stop crimes. Used improperly, it can undermine democracy, silence dissent, and put lives at risk.

  • The technology is advanced, often using zero-day and zero-click exploits.
  • The market incentives favor more sales and more capability.
  • Oversight, transparency, and accountability lag far behind.

The path forward requires both pressure and pragmatism: smarter laws, coordinated enforcement, responsible platform defenses, and support for at-risk communities. For the rest of us, staying updated, cautious, and informed is a strong start.

If you found this analysis useful and want more deep dives into cybersecurity trends that actually affect your life and work, consider subscribing or exploring our latest posts.

FAQ: People Also Ask

Q: What is spyware, in simple terms?
A: Spyware is software that secretly monitors a device and sends data to someone else. It can access messages, calls, location, and more—often without the user noticing.

Q: Is spyware legal?
A: It depends on who uses it and how. Consumer “stalkerware” is illegal in many jurisdictions. Government-grade spyware can be legal when used with proper authorization, but investigations have shown widespread misuse and weak oversight.

Q: How does Pegasus work?
A: Pegasus has used sophisticated exploits, including zero-click attacks, to compromise phones. Once in, it can read messages, track location, and activate sensors. Technical details vary by version and are often patched by vendors after discovery. See analyses by Amnesty Security Lab and Citizen Lab.

Q: Who buys spyware and why?
A: Customers usually include law enforcement and intelligence agencies. They claim to use it for counterterrorism and serious crime investigations. However, reports have documented use against journalists, activists, and political opponents.

Q: Can I tell if my phone is infected with spyware?
A: It’s hard. Modern spyware aims to be invisible. Signs like rapid battery drain or overheating are not reliable. High-risk users should seek expert help. Platform vendors sometimes send threat notifications, and NGOs publish detection methods. Start with resources from Amnesty Security Lab and EFF’s SSD.

Q: Are zero-click attacks common?
A: They’re rare but very impactful, typically used against high-value targets due to the cost and fragility of the exploits. Most people face more risk from phishing and common malware.

Q: Why not just ban spyware?
A: Some lawmakers advocate moratoria or strict bans. Others argue for regulated use with strong oversight. The challenge is aligning global rules and enforcing them against vendors and states with different interests. The UN has called for a moratorium on certain transfers until safeguards exist. UN statement

Q: What is the Wassenaar Arrangement?
A: It’s an international export-control framework that governs dual-use technologies, including certain “intrusion software.” It guides how countries regulate cross-border sales but does not enforce uniform rules. Learn more

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!