Probe reveals previously secret Israeli spyware that infects targets via ads

Jessica Lyons Hardcastle

The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.

Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz's clients.

The newspaper's report claimed that the spyware system had been sold to a country that is not a democracy. We're told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.

"According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service," journo Omer Benjakob wrote, adding Insanet received approval from Israel's Defense Ministry to sell Sherlock globally as a military product albeit under various tight restrictions, such as only selling to Western nations.

"Even to present it to a potential client in the West, a specific permit must be obtained from the Defense Ministry, and it’s not always given," Benjakob noted.

To market its snoopware, Insanet reportedly teamed up with Candiru, an Israel-based spyware maker that has been sanctioned in the US, to offer Sherlock along with Candiru's spyware – an infection of Sherlock will apparently set a client back six million euros ($6.7 million, £5.2 million), mind you.

Method

"This method of surveillance and targeting uses commercially available data that's very difficult to erase from the internet," Kelley told The Register. "Most people have no idea how much of their information has been compiled or shared by data brokers and ad tech companies, and have little ability to erase it."

It's an interesting twist. Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage. Other spyware, such as NSO Group's Pegasus or Cytrox's Predator and Alien, tends to be more precisely targeted.

Two staged

"In this case, however, it seems that this is a two-staged attack wherein users are first profiled using advertising intelligence (AdInt) and then they are served malicious payloads via advertisements. Unsuspecting users are definitely susceptible to such attacks."

Threat level is [probably] minimal

The good news for some, at least: it likely poses a minimal threat to most people, considering the multi-million-dollar price tag and other requirements for developing a surveillance campaign using Sherlock, Kelley noted.

Still, "it's just one more way that spyware companies can surveil and target activists, reporters, and government officials," he said.

Measures to avoid

There are some measures netizens can take to protect themselves from Sherlock and other data-harvesting technologies.

"Since these ads are being served using known advertisement networks, anti-adware technologies such as not loading JavaScript, using ad blockers or privacy-aware browsers, and not clicking on advertisements should act as a guardrail against this attack," Dani suggested.

And more broadly: "Pass consumer data privacy laws," Kelley said.

"Data finds its way to being used for surveillance, and worse, all the time," he continued. "Stop making the data collection profitable, and this goes away. If behavioral advertising were banned, the industry wouldn't exist."