For the first time ever, the security exploit broker Zerodium is paying a higher price for zero-day attacks that target Android than it pays for comparable attacks targeting iOS.
An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android zero-days compared with $2 million for iOS zero-days that meet the same criteria. The previous program overview offered $2 million for unpublished iOS exploits but made no reference at all to the exploits for Android. Zerodium founder and CEO Chaouki Bekrar told Ars the broker paid on a “case by case basis depending on the chain” for Android exploits.
"Flooded by iOS exploits"
Bekrar told Ars the move was prompted by a glut of working iOS exploit chains that has coincided with the growing difficulty of finding comparable exploits for versions 8 and 9 of Android. In a message, Bekrar wrote:
During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some [of] them.
On the other hand, Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it's even harder to develop zero click exploits not requiring any user interaction.
In accordance with these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox).
Modern operating systems contain a variety of security protections that typically require attackers to combine two or more exploits in an attack chain, with each link tackling a different application or defense. Zero-click exploits are those that dont require any interaction at all on the part of the end user. An exploit that arrives in a text message and allows the attacker to take control of a device is an example. A one-click exploit, by contrast, requires the end user to take minimal action, such as visiting a booby-trapped website.
Wakeup call
The price change comes four days after researchers from Googles Project Zero reported that users of fully patched versions of iOS were vulnerable to iOS zero-days that were exploited in the wild for more than two years. Attacks against 14 separate vulnerabilities were packaged into five separate exploit chains that gave the attackers the ability to compromise up-to-date devices.
The attacks were waged from a small collection of hacked websites that used the exploits to indiscriminately attack every iOS device that visited. Attackers used the exploits to install malware that stole photos, emails, log-in credentials, live location data, and more from iPhones and iPads. Project Zero researchers didnt identify any of the websites that hosted the exploits. On Monday, researchers from security firm Volexity identified 11 websites serving Uyghur and East Turkistan visitors that likely served the iOS exploits. The Volexity post said one of the sites also appeared to exploit an Android vulnerability that stopped working in 2017 with the release of Chrome 60.
The Project Zero report Read More – Source
