Android Zero-Day exploits are the most expensive in the new Zerodium price list

Zero-day broker Zerodium has updated the price list for both Android and iOS exploits, with Android ones having surpassed the iOS ones for the first time.

For the first time, the price for Android exploits is higher than the iOS ones, this is what has emerged from the updated price list published by the zero-day broker Zerodium.

A zero-click exploit chain for Android would be rewarded with up to $2.5 million, while an exploit chain for iOS only $2 million.

“Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero click exploits not requiring any user interaction,” explained Zerodium’s CEO Chaouki Bekrar.

Zerodium also announced it has increased the payouts for eligible iMessage and WhatsApp 0-click exploits. The company also reduced payouts for iOS 1-click exploits.

RCE + LPE exploits without persistence for iMessage and WhatsApp could be rewarded with a $1,500,000 payout (+50% previous price tag).

“ZERODIUM payouts for eligible zero-day exploits range from $2,000 to $2,000,000 per submission.” states Zerodium.

“The amounts paid by ZERODIUM to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc),”

Zerodium will also potentially pay higher payouts for “exceptional” exploits that meet its “highest requirements.”

The price for WhatsApp zero-click exploits increased because the demand for such kind of exploits is growing.

In March 2019, the exploit acquisition firm offered up to $500,000 for VMware ESXi and Microsoft Hyper-V vulnerabilities. At the time, the offer for Microsoft Hyper-V exploit represented a novelty in the Zerodium’s offer, it was the first time that the zero-day broker included a payout for this kind of exploits.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zerodium, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.