Android exploits are now worth more than iOS exploits for the first time

Exploit broker Zerodium increases zero-day prices for Android, now worth more than iOS.
Written by Catalin Cimpanu, Contributor

Zerodium, a company which claims it buys and then resells software exploits to government and law enforcement agencies, has updated its price list today, and Android exploits are worth more than iOS exploits for the first time ever.

According to the company, starting today, a zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million.

Zerodium's new price for Android exploits is almost twelve times more when compared to the maximum of $200,000 the company was willing to offer a year ago, and even 100 times more than Zerodium was paying for some of the lower-impact Android exploits.

Zerodium price changes, September 2019
Image: Zerodium

Zerodium has timed its announcement with Google's official release for Android 10, scheduled for later today. A Google spokesperson did not return a request for comment.

Higher rewards for IM exploits as well

At the same time, Zerodium also announced it was increasing payouts for exploits in instant messaging clients, regardless of the OS they are running.

An exploit chain consisting of a no-user-interaction (zero-click) remote code execution (RCE) bug and a local privilege escalation (LPE) in WhatsApp or iMessage is now worth $1.5 million, even if reboot persistence isn't achieved.

If user interaction is required, then the reward/price for the exploit chain goes down to $1 million for WhatsApp and $500,000 for iMessage.

Last year, similar bugs in these two IM apps would have brought only a maximum of $500,000.

A market shift

In a tweet from the company's official Twitter account, Zerodium claimed the price updates are "in accordance with market trends."

This is consistent with what Zerodium CEO Chaouki Bekrar told ZDNet in an interview this March after the company launched a zero-day acquisition program for cloud-based technologies.

Bekrar said that Zerodium's customers, are the ones who ask for specific exploit chains, and his company reacts by increasing rewards for exploit submissions.

In other words, Zerodium's price hike today can be interpreted as law enforcement agencies and government agencies across the world showing a sudden interest in acquiring software exploits for Android devices.

When ZDNet asked Bekrar today if the Android market fragmentation would play a role in what exploits his company would accept, the Zerodium exec said they'll "mostly focus on Google, Samsung, Huawei and Sony devices," but that exploits for other brands were also accepted, but on a case by case basis.

Prior to today, most exploit brokers, not just Zerodium, priced iOS exploits higher because iPhones run on the same hardware, and are mostly up to date, which makes Apple's job easier in keeping devices secured, and hackers' job harder in hacking these devices.

In contrast, there are tens of Android OEMs making their own devices on different hardware specs, and most of today's Android devices are hopelessly out of date, as mobile carriers and device vendors have failed to deliver over-the-air (OTA) security updates in timely manners for years.

Bekrar explains further how this landscape and the security features of the two operating systems has played a role in Zerodium increasing prices for Android zero-day exploits.

"During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world," the Zerodium CEO said. "The zero-day market is so flooded by iOS exploits that we've recently started refusing some them.

"In the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time-consuming to develop full chains of exploits for Android and it's even harder to develop zero-click exploits not requiring any user interaction," he added.

"In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox)."

Article updated on September 3, at 14:10pm ET, with comments from the Zerodium CEO.

HackerOne's top 20 public bug bounty programs

Editorial standards