For the first time, exploit sellers who provide Zerodium with fresh break-in techniques for Android devices can now earn more money from those tools than they would for similar hacks of iOS devices, the company announced Tuesday.
The Washington, D.C., firm just updated its price list, promising to pay $2.5 million to hackers who demonstrate a zero-click exploit chain, a powerful tool that requires no user interaction, for Android devices. Compare that to the $1 million reward available for a one-click iOS full chain exploit, knocked down today from $1.5 million.
Zerodium, founded in 2015, is dedicated to purchasing unpatched security vulnerabilities then re-selling those zero-days to corporate and government clients. It didn’t offer any specific explanations for the latest price changes.
A security researcher who pays attention to the market said this round of updates might be pointing to some shifts in how Zerodium’s customers view iOS devices.
“The change in exploit prices is super interesting,” said Patrick Wardle, who probes Apple devices as a principal security researcher at Jamf. “It either means the demand has decreased — which, if that’s the case, means three-letter [federal] agencies and companies are starting to find their own bugs — or supply has increased. I would guess it’s the latter.”
Payouts are based on the popularity and security level of the affected technology, Zerodium said in a blog post, as well as the quality of the hacking technique, and whether it’s capable of bypassing the security techniques.
“[T]he higher the price, the better is the security of the product,” founder Chaouku Bekrar told CyberScoop in 2017.
This update Tuesday coincides with the release of Android 10, the operating system was released on the same day by Google. It also comes just days after researcher from Google’s Project Zero detailed a hacking campaign that targeted thousands of iPhones simply by using malicious websites to infect targets. Zerodium says it has changed its bounty offers “in accordance with market trends.”
Zerodium also increased payments for zero-click infections of WhatsApp and iMessage to $1.5 million each, both up from $1 million. Those rewards are for techniques that achieve that level of access without persistence, meaning hackers may not have access to an infected device if the machine is turned off then re-activated.
The reward for a one-click hack without persistence on iMessage is now $500,000, down from $1 million.
Zerodium in January announced it would pay up to $2 million for remote iOS jailbreaks, $1 million for remote code execution in WhatsApp, iMessage, or texting apps, and $500,000 for Google Chrome exploits.