Probe reveals previously secret Israeli spyware that infects targets via ads

Oh s#!t, Sherlock

Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz's clients.

This is according to an investigation by Haaretz, which this week claimed the spyware system had been sold to a country that is not a democracy.

The newspaper's report, we're told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.

"According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service," journo Omer Benjakob wrote, adding Insanet received approval from Israel's Defense Ministry to sell Sherlock globally as a military product albeit under various tight restrictions, such as only selling to Western nations.

"Even to present it to a potential client in the West, a specific permit must be obtained from the Defense Ministry, and it’s not always given," Benjakob noted.

The company, founded in 2019, is owned by ex-military and national defense types. Its founders include the former chief of Israel's National Security Council Dani Arditi and cyber entrepreneurs Ariel Eisen and Roy Lemkin.

Arditi, who, according to his LinkedIn profile, is the chief executive at an Israeli tech company called IFG Security, did not respond to The Register's inquiries. Neither did Lemkin, CEO of Exceed Ventures, a cyber intelligence fund. Eisen could not be reached for comment.

"Insanet is an Israeli company, which operates with full and absolute obligation to Israeli law and to its strict regulatory directives," the biz reportedly told the newspaper.

To market its snoopware, Insanet reportedly teamed up with Candiru, an Israel-based spyware maker that has been sanctioned in the US, to offer Sherlock along with Candiru's spyware – an infection of Sherlock will apparently set a client back six million euros ($6.7 million, £5.2 million), mind you.

The Haaretz report cited a Candiru marketing document from 2019 in reporting the following:

The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.

The Electronic Frontier Foundation's Director of Activism Jason Kelley said Insanet's use of advertising technology to infect devices and spy on clients' targets makes it especially worrisome. Dodgy online ads don't just provide a potential vehicle for delivering malware, such as via carefully crafted images or JavaScript in the ads that exploit vulnerabilities in browsers and OSes, they can be used to go after specific groups of people – such as those who are interested in open source code, or who frequently travel to Asia – that someone might be interested in snooping on.

"This method of surveillance and targeting uses commercially available data that's very difficult to erase from the internet," Kelley told The Register. "Most people have no idea how much of their information has been compiled or shared by data brokers and ad tech companies, and have little ability to erase it."

It's an interesting twist. Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage. Other spyware, such as NSO Group's Pegasus or Cytrox's Predator and Alien, tends to be more precisely targeted.

"Threat-wise, this can be compared to malvertising where a malicious advertisement is blanket-pushed to unsuspecting users," Qualys threat research manager Mayuresh Dani told The Register.

"In this case, however, it seems that this is a two-staged attack wherein users are first profiled using advertising intelligence (AdInt) and then they are served malicious payloads via advertisements. Unsuspecting users are definitely susceptible to such attacks."

The good news for some, at least: it likely poses a minimal threat to most people, considering the multi-million-dollar price tag and other requirements for developing a surveillance campaign using Sherlock, Kelley noted. 

Still, "it's just one more way that spyware companies can surveil and target activists, reporters, and government officials," he said.

There are some measures netizens can take to protect themselves from Sherlock and other data-harvesting technologies.

"Since these ads are being served using known advertisement networks, anti-adware technologies such as not loading JavaScript, using ad blockers or privacy-aware browsers, and not clicking on advertisements should act as a guardrail against this attack," Dani suggested.

And more broadly: "Pass consumer data privacy laws," Kelley said.

"Data finds its way to being used for surveillance, and worse, all the time," he continued. "Stop making the data collection profitable, and this goes away. If behavioral advertising were banned, the industry wouldn't exist." ®

More about


Send us news

Other stories you might like