(Bloomberg) -- A new report from Google finds that most of the zero-day vulnerabilities its researchers discovered last year were being exploited by commercial surveillance vendors and that sell the tools to governments to surreptitiously monitor their citizens.

Alphabet Inc.’s Google said on Thursday that it has been tracking more than 30 firms with “varying levels of sophistication and public exposure” that sold software exploits or surveillance capabilities.

Seven out of nine zero-day vulnerabilities that Google found in 2021 were being developed by commercial providers and “sold to and used by government-backed actors,” the company said. Zero-days flaws are issues in software that hackers and spyware vendors can exploit until a patch is provided by the developer.

Google also said software made by RCS Lab S.p.A. was able to infect mobile phones — running Apple’s iOS or Google’s Android operating system — and snoop on users in Italy and Kazakhstan. Google’s findings follow those last week from the cyber firm Lookout Inc., which said “Hermit” spyware was likely developed by RCS.

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," the Google researchers warned in a blog post that also shared snippets of the code. "This makes the internet less safe and threatens the trust on which users depend."

In a statement, RCS said it abides by government regulations and has long served law enforcement customers.

"Our products are delivered and installed within the premises of approved customers," the company said. "RCS Lab strongly condemns any abuse or improper use of its products which are designed and produced with the intent of supporting the legal system in preventing and combating crime."

©2022 Bloomberg L.P.