Zerodium, a “leading exploit acquisition platform for premium zero-days and advanced cybersecurity research”, has updated its price list. Apparently, Android exploits are now more expensive than iOS exploits, for the first time in history.
Zerodium is now paying much more for Android exploits, iOS exploits price drops
Zerodium is promoted as a company that pays “BIG bounties to security researchers to acquire their original and previously unreported zero-day research”. The company has been focused on high-risk vulnerabilities with fully functional exploits. Their payout can reach up to $2 million per submission.
In its latest update, Zerodium’s pricelist is putting Android exploits ahead of iOS ones. From now, an Android zero-click exploit chain that requires no user interaction could get researchers a payout of up to $2.5 million, whereas the same exploit chain in iOS is estimated at $2 million.
Compared to what Zerodium was offering last year, the price for Android exploits has jumped multiple times, as the payout used to be up to $200,000.
Here’s a list of the changes the company made to its pricelist:
New Payouts (Mobiles):
$2,500,000 – Android full chain (Zero-Click) with persistence (New Entry)
$500,000 – Apple iOS persistence exploits or techniques (New Entry)
Increased Payouts (Mobiles):
$1,500,000 – WhatsApp RCE + LPE (Zero-Click) without persistence (previously: $1,000,000)
$1,500,000 – iMessage RCE + LPE (Zero-Click) without persistence (previously: $1,000,000)
Decreased Payouts (Mobiles):
$1,000,000 – Apple iOS full chain (1-Click) with persistence (previously: $1,500,000)
$500,000 – iMessage RCE + LPE (1-Click) without persistence (previously: $1,000,000)
Desktops/Servers:
No modifications
Why are Android exploits more valuable now?
According to a tweet from the company’s Twitter account, the updates in the prices “for major Mobile exploits” is “in accordance with market trends.”
“For the first time, we will be paying more for Android than iOS. We’ve also increased WhatsApp & iMessage (0-click) but reduced the payout for iOS (1-click) in accordance with market trends,” the company said.
Considering the nature of Zerodium’s work, the price changes may be linked to the growing interest in Android exploits from law enforcement and government agencies.
A couple of days ago, several privilege escalation exploit chains were discovered in iOS devices by Google’s Threat Analysis Group (TAG) and Project Zero teams.
The vulnerabilities were actively used by threat actors who also used compromised websites to carry out watering hole attacks against iPhone users. Almost all versions between iOS 10 and iOS 12 were affected. The websites used in these attacks were visited thousands of times on a weekly basis.
In 2016, the company was willing to pay $1.5 million for a remote exploit, at the time of the release of iOS 10. In comparison, back then Apple was offering $200,000 for iOS zero-day vulnerabilities via its private bug bounty program.