A WhatsApp zero-day exploit can cost several million dollars

TechCrunch reported that a working zero-day exploit for the popular WhatsApp can be paid millions of dollars.

The research of zero-day exploits for popular applications such as WhatsApp is even more complex due to the security mechanisms implemented by the developers of the mobile OSs and the app.

TechCrunch reported that a zero-day exploits for popular applications like WhatsApp “are now worth millions of dollars”.

TechCrunch obtained leaked documents that demonstrate that, as of 2021, a zero-click, zero-day exploit for the Android version of WhatsApp had a bounty between $1.7 and $8 million. Someone was willing to pay these great payouts to remotely gain access to the messages of a target.

According to the documents, a company was selling a zero-click exploit for a remote code execution (RCE) vulnerability in WhatsApp for around $1.7 million.

“The document said the exploit worked for Android versions 9 to 11, which was released in 2020, and that it took advantage of a flaw in the “image rendering library.” In 2020 and 2021, WhatsApp fixed three vulnerabilities — CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041— that all involved how the app processes images. It’s unclear if these patches fixed the flaws underlying the exploits that were on sale in 2021.” wrote Lorenzo Franceschi-Bicchierai on TechCrunch.

The surveillance market is literally exploding, intelligence agencies, law enforcement bodies and zero-day brokers are competing to buy exploits that can allow them to compromise devices and apps.

In some cases, the exploit for a single vulnerability can allow to spy on a target, in other cases, threat actors combine multiple issues in an exploit chain to achieve the same effect.

In mid-September, researchers from the Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that the three Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) addressed in the same period were used as part of an exploit to install Cytrox Predator spyware.

The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group. The two research teams have already discovered multiple actively exploited zero-days in Apple products that were exploited in targeted attacks against high-profile individuals, such as opposition politicians, dissidents, and journalists.

The Russian zero-day broker firm Operation Zero, recently increased payouts for top-tier mobile exploits. The company is willing to pay up to $20,000,000 for zero-day exploits for iPhone and Android devices.

The Russian company pointed out that the end user for its exploits is a non-NATO country, it also added that decided to increase the payout due to high demand on the market.

Unlike other zero-day brokers, such as Zerodium and Exodus Intelligence, Operation Zero focuses on the Russian market. Operation Zero’s clients include Russian government agencies and private businesses.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)