Why Southeast Asia became a spyware hotspot

Dictators looking to spy on the smartphones of their citizens have been able to buy access to private data for years. The companies making spyware have changed over time: FinFisher was a big player until a hack in 2014; Hacking Team took their place only to have a similar breach a year later. But no matter who’s selling them, spyware tools have remained available and they’ve remained broadly effective. For anti-spyware activists, the work is mostly pinning down specific buyers and shaming them into giving it up.

Last week, Amnesty International launched a new front in that fight with a new report calling out Indonesia’s national police and federal cybersecurity agency for stockpiling spyware. Nailing down the actual purchases meant following a wave of vendors and intermediaries, but researchers claim that the tools were being used against Indonesians.

Amnesty doesn’t name any specific targets, but the Indonesian government has no shortage of internal conflicts. The government has been implicated in long-standing violence against Indigenous groups in Papua and West Papua. Even minor protests against government projects are often met with alarming force. There’s a long list of activists and opposition leaders who could be seriously endangered by a spyware attack.

For Amnesty researcher Jurre van Bergen, one big surprise has been how much Southeast Asia has become a center for this trade, thanks largely to strong commercial privacy rules that obscure spyware purchases. “Most of these spyware sales happen in places like Malaysia or Singapore where it’s hard to access this information,” van Bergen says. “Because of all these different jurisdictions in play, it remains quite complicated to have any kind of insight into these spyware export flows.”

In theory, Apple and Google are the first line of defense against these attacks — they’re making the security systems that spyware companies are breaking, after all — but the reality is more complicated. Spyware attacks are so rare (or targeted) that they make up a vanishingly small portion of the overall security picture for a mobile OS business. Apple has been vocal about its attempts to keep spyware off of iPhones — but iOS trails Android globally, and especially in Southeast Asia. Most figures peg Apple’s market share in Indonesia at around 11%down significantly from where it was last year, so few Indonesians benefit from Apple’s defenses against spyware. The open nature of Android, with many manufacturers choosing to customize the OS for their own needs, means it’s much harder for that platform to keep out spyware — which means Indonesians are still largely defenseless.

Still, the overall picture isn’t hopeless. There’s a growing coalition of countries pledging not to use commercial spyware, launched in the U.S. under President Biden. I don’t expect Indonesia to sign on any time soon, but every country that does join means fewer customers for spyware makers.


Leave a Comment