Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever.
According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million.
Zerodium’s new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits.
Zerodium has timed its announcement with Google’s official release for Android 10, scheduled for later today. A Google spokesperson did not return a request for comment.
Higher rewards for IM exploits as well
At the same time, Zerodium also announced it was increasing payouts for exploits in instant messaging clients, regardless of the OS they are running.
An exploit chain consisting of a no-user-interaction (zero-click) remote code execution (RCE) bug and a local privilege escalation (LPE) in WhatsApp or iMessage is now worth $1.5 million, even if reboot persistence isn’t achieved.
If user interaction is required, then the reward/price for the exploit chain goes down to $1 million for WhatsApp and $500,000 for iMessage.
Last year, similar bugs in these two IM apps would have brought only a maximum of $500,000.
A market shift
In a tweet from the company’s official Twitter account, Zerodium claimed the price updates are “in accordance with market trends.”
This is consistent with what Zerodium CEO Chaouki Bekrar told ZDNet in an interview this March after the company launched a zero-day acquisition program for cloud-based technologies.
Bekrar said that Zerodium’s customers, are the ones who ask for specific exploit chains, and his company reacts by increasing rewards for exploit submissions.
In other words, Zerodium’s price hike today can be interpreted as law enforcement agencies and government agencies across the world showing a sudden interest in acquiring software exploits for Android devices.
Bekrar didn’t respond to an email sent prior to this article’s publication seeking comment on how Android’s market fragmentation, in regards of vendor and OS version, plays a role in his company’s acquisition program.
iOS exploits were usually priced higher because iPhones run on similar hardware and are mostly up to date, which makes Apple’s job easier in keeping devices secured.
On the other hand, there are tens of Android OEMs making their own devices on different hardware specs, and most of today’s Android devices are hopelessly out of date, as mobile carriers and device vendors have failed to deliver over-the-air (OTA) security updates in timely manners for years.
Source Article from https://www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/#ftag=RSSbaffb68
Android exploits are now worth more than iOS exploits for the first time
Latest blogs for ZDNet
Latest blogs for ZDNet