An Android zero-day exploit is now worth more than one for the iPhone on the global cyberweapons market.
Exploit acquisition vendor Zerodium said Tuesday that it is willing to pay a whopping $2.5 million for a zero-click Android zero-day with persistence. That number significantly increases the company’s previous payout ceiling of $2 million (for remote iOS jailbreaks).
Android outstripping iPhone in zero-day value is a new turn of events; iPhone exploits have until now commanded top pay-outs from gray-market exploit brokers like Zerodium because they were rare. But as further evidence of iPhone’s waning value (and possibly a glut of exploitable bugs in the platform), Zerodium also decreased payouts for another Apple flaw: Apple iOS one-click zero-days with persistence are now worth $1 million (previously worth $1.5 million).
Also, on the iMessage front, most payouts for iMessage zero-days for remote code-execution (RCE) with privilege escalation (LPE) without persistence have been slashed in half, to reach $500,000 instead of $1 million. However, those that are zero-click have been upped in value, with payouts increasing to $1.5 million from $1 million.
Zerodium also added another new bounty — $500,000 for Apple iOS persistence exploits or techniques – and increased payouts for WhatsApp RCE + LPE zero-click exploits from $1 million to $1.5 million.
The move means that payouts for eligible zero-day exploits now range from $2,000 to $2.5 million per submission. The exact bounty amount depends on “the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc.),” according to the company.
Zerodium, launched in 2015 by VUPEN cofounder Chaouki Bekrar, is known for offering lofty payouts for high-risk zero-day exploits. Shortly after it was founded, the company offered a million-dollar bounty for iOS 9 exploits. It then one-upped itself in 2016 by offering a $1.5 million bounty for an iOS 10 remote jailbreak. In 2017, it debuted payouts for private messaging apps such as Signal and WhatsApp, and it said that it will pay up to $1 million for zero-day exploits for Tor Browser on Tails Linux and Windows. And in January, it upped its zero-day payout maximum once again, to $2 million, for remote iOS jailbreaks.
As an vulnerability dealer, Zerodium has not been without controversy for brokering exploits that could end up in the wrong hands. Yet it bills itself as an effort “to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.”
It also says that it “analyzes, documents and reports the findings to its clients,” (a small set of organizations and governments), “along with protective measures and security recommendations.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and experts from Nokia, iboss and Sectigo as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments. Click here to listen to the recorded webinar.