Cash Value of Android Zero-Day Exploits Surpasses iOS
Apple has long positioned itself as the more secure option to open platforms like Windows and Android, but that might no longer be the case. As previously unreported “zero-day” iOS exploits pile up, security researchers are seeing the cash value of such research fall. Zerodium, the largest purchaser of such flaws, has updated its bug bounty payments. Android exploits now command a maximum of $2.5 million, but iOS tops out at $2 million.
Last month, we reported on a series of iOS exploits uncovered by Google’s Project Zero. Google isn’t in the business of selling exploits, so it researched the scheme and reported it to Apple in a responsible manner. Google detected websites using multiple attack chains to steal data from almost all versions of iOS, and they were operating for at least two years.
Apple rolled out an update to iDevices that blocked those exploits, but you have to wonder how many more unreported attacks are floating around out there. The perpetrators of this hack weren’t even treating the exploits like a valuable commodity. They were hacking iPhone users indiscriminately when they could have been using targeted attacks against high-value targets. They might never have been caught going that route.
Zerodium buys exploits for big money so it can exclusively report the research and mitigation measures to its corporate and government clients. Zerodium founder and CEO Chaouki Bekrar says that the company still gets ample submissions for iOS exploits, mostly connected to Safari and iMessage. There are so many that the company has started turning down some offers from researchers. On the other hand, functional zero-click or one-click exploits for Android are increasingly rare, especially for versions 8.0 and later.
Given the state of the major operating systems, Zerodium decided it makes sense to assign a higher value to Android exploits. Zerodium doesn’t pay $2.5 million for just any Android hack, though. Researchers have to submit basic details of the hack first, and then wait on an offer from Zerodium. The $2.5 million top offer only applies to serious flaws in Android 8, 9, or 10. Apple’s lower $2 million maximum bounty is still nothing to sneeze at serious exploits for desktop systems top out at $1 million. Since mobile platforms were built more recently, they have more security features integrated at a low level. That makes them harder to hack than desktop operating systems.