Well, there’s some good news for hackers and vulnerability hunters, though terrible news for Google, Android device manufacturers, and their billions of users worldwide.
The zero-day buying and selling industry has recently taken a shift towards Android operating system, offering up to $2.5 million payouts to anyone who sells ‘full chain, zero-click, with persistence’ Android zero-days.
Just like other traditional markets, the zero-day market is also a game of supply, demand, and strategy, which suggests either the demand of Android zero-days has significantly increased or somehow Android OS is getting tougher to hack remotely, which is unlikely.
In it’s latest notification, Zerodium—a startup that buys zero-day exploits from hackers, and then probably sells them to law enforcement agencies and nation-sponsored spies around the world—said it’s looking for hackers who can develop full chain Android exploits.
The company is ready to pay up to $2.5 million for such exploits that can be used to gain persistence access on an Android device with no indication and interaction from the target user; a straight 12x jump from its previous price tag of $200,000.
While the same type of zero-day exploits for iOS devices are worth $2 million, which is still double than what Apple has recently started offering to hackers to responsibly report severe deadly exploits, described as “a zero-click kernel code execution vulnerability that enables complete, persistent control of a device’s kernel.”
Besides Android exploits, Zerodium has also announced to offer $500,000 for submitting new persistence exploits or techniques for iOS, and increased payouts of WhatsApp and iMessage exploits.