Zero-Day WhatsApp Hacking Vulnerabilities Worth Millions – Parentally, I am concerned about my children’s digital communications; yet, as an advocate of healthy digital education alongside privacy protections.
Hacking mobile phones has become more complex and expensive due to enhanced security measures and mitigations, yet zero-day exploits can still yield millions in gains.
Zero-Day Hacking Vulnerabilities Worth Millions
WhatsApp, as the world’s premier mobile messaging app, has become a target for hackers. Zero-day vulnerabilities – flaws discovered by attackers prior to being fixed by software developers – provide criminals and state-sponsored APT groups a chance to spy on targets more easily than before.
These vulnerabilities can be exploited to gain control of a device and read or delete private messages without user interaction – providing cybercriminals with a lucrative opportunity. Zero-click RCE exploits can prove particularly lucrative as they can be deployed quickly without user intervention required for deployment.
Zerodium brokers recognize the high value of zero-days and are prepared to pay millions of dollars for them, selling them on to criminals, novice hacking groups or governments with sufficient funds for purchase.
Due to demand from government hackers and intelligence agencies that want to keep tabs on their targets, hacking cell phones running iOS and Android has become more costly over time. Hacking popular mobile applications like WhatsApp now costs anywhere between $1.7 and $8 million according to leaked documents, according to estimates released by hacker groups and researchers. These high payouts may reflect government hackers or intelligence services looking for targets they need to spy on.
In 2020 and 2021, WhatsApp fixed three vulnerabilities — CVE-2020-1890, CVE-2020-1910 and CVE-2021-24041 — that all involved how the app processes images.
Zero-Click Remote Code Execution (RCE) Exploits
Zero-click hacks use flaws that enable malicious hackers to gain entry and steal data without the victim’s interaction. They often target communication applications like texting, voice calling, and messaging because these receive and interpret data from untrusted sources allowing for hackers to monitor, read, and exfiltrate messages discreetly.
Zero-click RCE vulnerabilities offer attackers an opportunity to gain entry to an organization’s network and steal confidential information without needing user action to exploit. Luckily, companies can implement various security practices designed to lessen the impact of such hacks.
Technically, it’s critical to ensure all software and web apps are up-to-date, as well as to implement an ongoing vulnerability scan to detect flaws before an attacker takes advantage of them.
With more of our business processes shifting into the cloud, it is vital that we continue to hone our cybersecurity capabilities and protect our networks. This should include deploying a managed security solution with 24/7 threat detection to prevent attackers from exploiting zero-click hacks to gain access to valuable data or disrupt operations for your organization.
Zero-day vulnerabilities can command a high price in the market for hackers who sell them to buyers, such as WhatsApp and Telegram – two popular secure messaging applications – who buy these secrets from Zerodium (a company which brokers vulnerability research). Zerodium offers payments of up to $500,000 from hackers selling zero-day vulnerabilities through its service.
Zero-Click Remote Data Exfiltration (RDE) Exploits
Zero-click vulnerabilities — flaws in software products which remain unknown to their creator — have skyrocketed. Hackers have exploited such vulnerabilities to spy on unwary victims’ devices and apps – leading them down a path toward remote code execution (RCE), privilege escalation, data exfiltration or app manipulation.
Market demand for vulnerabilities stems from technological advancements that have made hacking iOS or Android phones an expensive endeavor, prompting hackers and intelligence agencies to pay more for zero-day hacking techniques that bypass these defenses.
Mashable reports that Zerodium, a Russian firm offering sophisticated bug chains exclusively to “Russian private and government organizations”, is offering $20 million for them to remotely compromise iPhones running iOS or Android, such as WhatsApp or Signal. It appears this premium pricing reflects both researchers unwilling to collaborate with Russia while their invasion of Ukraine persists and an appetite among these customers for paying an increased cost premium.
Exploiting WhatsApp offers several distinct advantages to government hackers employed by intelligence and law enforcement agencies; one being that they only require access to your WhatsApp messages without necessarily needing to compromise your device as a whole. In fact, NSO Group was caught using a zero-day vulnerability specific to WhatsApp to target dissidents and journalists.
Zero-Click Remote Spyware Exploits
Zero-click attacks exploit vulnerabilities within applications rather than asking users to click a malicious link, making these attacks less detectable yet still becoming effective in targeting vulnerable targets. Government hackers tend to prefer this form of attack for its stealthiness and difficulty of detection – likely explaining their increased prevalence among hackers today.
Motherboard and Washington Post reported in 2018 on an incident where Saudi government agents used Pegasus spyware to hack journalist Jamal Khashoggi’s phone using WhatsApp video files sent from one phone to the next containing Pegasus, and were then able to track his location, listen in on calls, read texts messages and access apps on his device.
These types of attacks tend to target high-profile targets, and as a result the price for exploits has skyrocketed over the years. In 2020 alone, an Android zero-click RCE exploit which allowed for monitoring and reading WhatsApp messages was sold for an astonishing $1.7 million!
Though these high-profile hacks are frightening, there are ways you can safeguard against them. One strategy is to centralize all sensitive communications on one device (disappearing messages are an excellent solution), avoid jailbreaking your phone because that bypasses many security features built into its firmware, install verified software from only trusted sources and avoid downloading anything that could contain vulnerabilities that can be exploited through zero-click attacks, etc.
