Zerodium increases the amounts it pays for vulnerabilities in mobile applications and operating systems. A leak in Android can then yield 2.5 million dollars with the right conditions. That’s more than a leak in iOS for the first time.
Zerodium has both increased a number of existing prizes and added new ones, according to the new prizes in the program. It is striking that one of the new additions immediately has the highest price of all leaks. Researchers who find a vulnerability that counts for all Android devices at the same time can receive 2.5 million dollars, converted about 2.29 million euros. This must be a leak that is ‘persistent’; the hack should remain active when the phone is rebooted. It must also concern a vulnerability that can be implemented without user intervention. In such a zero-click bug, a phone is already infected if, for example, a user only visits a certain website. He does not have to click first or install anything himself. One such persistent zero-click bug on iOS is worth half a million dollars at Zerodium.
In addition to the new bounties for iOS and Android bugs, Zerodium has also raised a few existing prices. A remote code execution in combination with a local privilege escalation for WhatsApp and iMessage now sells for one and a half million dollars. It used to be a million dollars. Prices are also going down. These are those of an iOS full-chain and of a remote code execution that requires user interaction. For vulnerabilities that require a victim to click first, targeting the iPhone through a web browser, the price drops from $1.5 million to $1 million. Another one click vulnerability in the case of iMessage attacks drops the price from a million to $500,000.
It is now the first time that an Android vulnerability is worth more than one in iOS. The maximum price for it is now two million dollars, compared to 2.5 million for an Android bug. A few years ago, iOS vulnerabilities were still the holy grail for security researchers. Zerodium tells Wired that the market is flooded with iOS exploits. In addition, the security of Android is getting better and better. It is therefore more difficult to find a leak in the operating system that can take over all rights of a user in one go, without clicking.
Leaks in software have become increasingly valuable in recent years. Manufacturers themselves are also offering increasingly higher rewards to researchers who find such leaks. Apple has been offering more money for iOS vulnerabilities since last month and will pay Google researchers for finding bugs in third-party apps. They hope that they will not take it to commercial companies such as Zerodium, which also sell the vulnerabilities to authoritarian government regimes. They can use it to build software to keep an eye on minorities or dissidents. For example, it recently emerged that China was exploiting vulnerabilities in iOS to hack Uyghurs.