Exploit broker Zerodium will now pay $2.5 million for a combination of exploits that gives an attacker control over an Android phone -- an offer that now exceeds what it will pay for an equivalent set of iOS exploits.
The new pricing schedule was announced on Tuesday and comes as Google launched Android 10 and in the wake of Google revealing that hackers had been using multiple iOS bugs — some of them previously undisclosed ‘zero day’ flaws — in attacks targeting iPhone users en masse for years.
Zerodium is one of a few companies that buy bugs from hackers and sell them to spy agencies and law enforcement customers. Two of many choices hackers have when they find a security bug is to submit them to the affected vendor or sell them exclusively to resellers like Zerodium.
Historically the company’s prices for Android bugs have paled in comparison to equivalent iOS bugs, which seemed to support the view that exploits for iOS bugs against unpatched systems were much rarer than for Android devices that historically have not been consistently patched by device manufacturers and carriers, and in many cases abandoned by them.
For example, in 2016, a remote iOS jailbreak was worth $1.5 million while the equivalent bug for Android was worth just $200,000. In January it bumped up the offer for an iOS bug to $2 million.
Zerodium now offers $2.5 million for a “zero-click” combination of exploits that can give an attacker full control over an Android device even after a reboot. The equivalent iOS attack is still worth $2 million and that’s also twice what Apple will pay for an iOS kernel hack under its new bug bounty pricing.
As Zerodium notes, the amount it’s willing to pay for exploits “depend on the popularity and security level of the affected software/system”.
The company also decreased the price of one-click iOS exploit chains from $1.5 million to $1 million and halved the price of remote code execution flaw for iMessage to $500,000.
Zerodium CEO Chaouki Bekrar commented on Twitter today that “Google/Samsung have considerably improved their security. iOS chains (1-click) e.g via Safari reduced to $1M as there’s a bunch of them on the market, sad but true.”
Problems with the security of Apple’s iOS security have been in the spotlight recently, largely due to the work of security researchers at Google Project Zero.
The group last week exposed a widespread hacking campaign targeting iPhone users for several years by rigging select but unnamed websites with exploits for multiple iOS vulnerabilities.
The targets were reportedly Uyghur people with the implication that the attackers worked for the Chinese government.
While the prices offered by Zerodium for both iOS and Android exploits seems high, Project Zero’s Stan Beer, who detailed the technical aspects of the iOS exploits, said that even a $20 million price tag would “seem low for the capability to target and monitor the private activities of entire populations in real time.”
He also challenged the value of promoting the idea that one operating system was inherently more secure than another. Historically iOS has been seen as more secure because Apple can push updates to all iOS devices faster than multiple Android OEMs and carriers can push Google's Android updates to their devices.
“Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted,” he wrote.
Before Beer's post, Project Zero researchers detailed work uncovering 10 Apple bugs, most of which stemmed from flaws in Apple’s iMessage messaging system. Natalie Silvanovich, a researcher in the group, implored Apple to cut out unnecessary code from iMessage to reduce risks to iPhone users.
“The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface,” Silvanovich wrote.
“Most of this attack surface is not part of normal use, and does not have any benefit to users... Overall, the number and severity of the remote vulnerabilities we found was substantial. Reducing the remote attack surface of the iPhone would likely improve its security.”