Android exploits are now worth more than iOS exploits for the first time

Exploit broker Zerodium increases zero-day prices for Android, now worth more than iOS.

Zerodium, a firm that claims to buy and then sell software exploits to government and law enforcement agencies, has today updated its price list, Android exploits worth more than the firstiOS exploits ever.

According to the business, a zero-click exploit chain for Android is available from today, which can reward hackers and safety scientists up to $2.5 million. A comparable feat that affects iOS is worth just $2 million.

The current cost of Zerodium for Android exploits is nearly twelve times higher than the $200,000 maximum the firm was prepared to give a year ago, and it even paid more than 100 times higher than Zerodium for some of Android exploits with lower impact.



Zerodium has timed its announcement, planned for later today, with the official Google launch of Android 10. A Google spokesman did not return a comment application.

Higher rewards are also paid for IM exploits

Zerodium also announced that it is increasing payouts for exploits in instant messaging clients irrespective of the operating system they operate.

An exploit chain composed of a RCE and LPE (no-user interaction) bug in WhatsApp or iMessage is now worth $1.5 million, even if reboot persistence is not accomplished.

The cost / price of the exploit chain, if user interaction is needed, will be $1 million for WhatsApp and $500,000 for iMessage.

A Market Change

Similar bugs in these two IM applications would only bring up to $500,000 last year.
In a tweet from Zerodium’s official Twitter account Zerodium stated that price updates “consist in market trends.” This is consistent with what Zerodium CEO Chaouki Bekrar told in an interview this March following the company’s launch of a zero-day cloud based technology procurement program.

Bekrar said that the clients of Zerodium are those who are asking for particular exploits, and his business responds by raising its benefits.

In other words, the Zerodium price increase today can be understood to show a sudden interest in obtaining Android-device software exploits, as law enforcement agencies and government agencies around the globe.

If ZDNet today questioned Bekrar to consider whether Android market fragmentation would play a part in what its company’s exploits accepted, Zerodium exec said it “would concentrate mostly on Google, SAMSung, Huawei and Sony phones.”

Before today, most of the brokers used, and not just Zerodium, have priced iOS because iPhones run on the same hardware and are largely up-to-date, making it easy for Apple to secure phones and making hackers ‘ work hard to hack them.

By comparison, there are dozens of Android OEMs producing their own phone on several hardware specs, and most of today’s Android devices are hopelessly out of date, with over – the-air (OTAs) safety updates for years now not provided by mobile carriers and device suppliers.

Bekrar further describes how this landscape and the safety characteristics of the two operating systems have contributed to the Zerodium rise in Android zero-day prices.

“We have witnessed over the past few months a growing amount ofiOS exploits, mainly Safari and iMessage chains, created and marketed by scientists from all over the globe,” said the CEO of Zerodium. “The zero-day market is so overflowing with iOS exploits that we have recently started denial of some of them.”

Instead, with every new version of the OS, Android security is being increased with Google and Samsung security teams, so it has been very difficult and time-consuming to develop full chains for Android exploits and even harder to develop zero-click exploits that don’t require any other user.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.