Privacy International (PI) is calling for greater oversight on GCHQ following suspicions that they were behind the Regin malware.
Comments from various security firms reported by the Guardian claimed that only the UK, US and Israel were capable of delivering such sophisticated malware, but PI has said the legal position on government hacking is unclear.
Eric King, deputy director at PI, said: "Although we know more than ever before about the capabilities of British and American security services to conduct network exploitation and attacks, we still don’t know on what legal authority GCHQ and the NSA purport to act.
"There is no clear legal framework in either country that sanctions and regulates the deployment of these kinds of intrusive tools."
King argued that government malware deployment would only be covered under an "extraordinarily broad interpretation" of the Regulation of Investigatory Powers Act (RIPA), the bill which covers government snooping.
He added that under the terms of the Computer Misuse Act, if GCHQ impairs the operation of a computer within England and Wales to steal data or gain unauthorised access it would be "prima facie unlawful".
Another bill, the Intelligence Services Act, also grants powers to the Secretary of State to authorise interference with property or wiretapping via warrant, a broad power King described as "simply not sufficient to legally justify the use of highly advanced invasive surveillance techniques".
A previous ruling by the European Court of Human Rights on a case involving German citizen Gabriele Weber set out the need for clarity in the laws around snooping, owing to the lack of potential scrutiny that can be applied against intelligence services.
"There are no authorising powers in the UK sanctioning the deployment of malware like Regin that meet the Weber standards for authorisation, nor are there the safeguards in statute," King said.
