Commercial Surveillance Vendor Market¶
Commercial spyware sold to governments occupies the extreme end of the grayware spectrum: technically legal under the laws of the selling country, marketed as law enforcement tools, but routinely deployed against journalists, dissidents, and opposition politicians. These vendors' Android implants are the most sophisticated malware in the wild.
Vendors and Pricing¶
| Vendor | Product | Pricing | Status | Source |
|---|---|---|---|---|
| NSO Group (Israel) | Pegasus | $500K setup + $650K per 10 targets; Ghana deployment: $8M | US Entity List (Nov 2021) | Commerce Dept. |
| Intellexa/Cytrox | Predator | EUR 8-13.6M per deployment | US Entity List (Jul 2023), Treasury sanctions (Mar + Sep 2024) | Treasury |
| Candiru (Israel) | DevilsTongue | Unknown | US Entity List (Nov 2021) | Kaspersky |
| QuaDream (Israel) | REIGN | Unknown | Shut down Apr 2023 after Citizen Lab/Microsoft exposure | Citizen Lab |
| Paragon (Israel) | Graphite | Unknown | Active; severed Italian government contract after exposure | Citizen Lab |
| Variston IT (Spain) | Heliconia | Unknown | Exposed by Google TAG Nov 2022 | Chrome, Firefox, Windows Defender exploits |
| RCS Lab (Italy) | Hermit | Unknown | Active | Lookout |
Sales are typically limited to a single phone country code prefix, with additional countries available for extra fees. Annual maintenance runs 17-22% of the system cost.
International Response¶
The Pall Mall Process (February 2024): 35 nations convened at Lancaster House, London, establishing guiding principles on commercial spyware. A Code of Practice was agreed in April 2025. US Entity List additions have had limited practical impact -- Intellexa continued operations despite sanctions. Paragon's January 2025 WhatsApp zero-click campaign targeting ~90 accounts (including journalists) occurred while the company was ostensibly "responsible" under its own ethical framework.