A zero day exploit in Apple’s mobile operating system iOS that allows for remote code execution has been advertised for sale for 8m, according to leaked documents.

Apple zero day vulnerability
Apple zero days can cause big disruption. (Photo courtesy of Shubhashish5/iStock)

The primary exploit being sold as part of the “Nova” package allows for the targeted injection of code from a web browser into the operating system, according to the documents shared by cybersecurity code repository vx-underground. This is exploited via a phishing attack where a link is clicked and the vulnerability triggered.

The marketing documents, which appear to be from cyber intelligence company Intellexa, set out the details of the exploit and what the seller will get in return for the purchase price. These were first shared last month by the unnamed group, but vx-underground says it “has no way to determine the validity of the seller”.

It isn’t clear whether the exploits being advertised have already been patched by Apple but the seller offers a 12 month warranty, so even if they are patched the buyer will be given alternatives that they can use instead.

The exploit is listed as working on iOS 15.4.1 and versions back a year which suggests the flaw was patched in more recent versions of the mobile operating system. It also works on Android 12 and below. As well as the 0 day exploit, the price includes exploits for other devices and cloud support for the web browser-based code injection.

Tech Monitor has approached Intellexa for comment.

The growing and lucrative trade in zero day exploits

The trade in zero day exploits is growing, with the target market not just cybercriminals but national governments and companies like NSO Group which uses them in its Pegasus software that gives its customers access to targeted mobile devices.

Zero click exploits, which can be implemented without the end user’s knowledge, are the most sought after, but single click vulnerabilities, like the one apparently being sold by Intellexa, are also in high demand, particularly if they can be used against common operating systems like iOS and Android.

Last year there were 58 zero day vulnerabilities discovered, according to Google’s Project Zero, which tracks new zero day issues with major software vendors. There have been 23 patched zero day exploits so far this year, according to Project Zero, although that doesn’t list those still in the wild like the type being sold by the unknown group.

A market for zero days has existed for many years, but "the field has changed significantly since the early 2000s", says Dr Max Smeets, a researcher at the ETH Zurich University centre for security studies. "Back then we saw very few security researchers talking about how they would be willing to sell these exploits to the highest bidder," he told Tech Monitor earlier this year. "And it would be an individual selling to a nation state or particularly a private sector company."

"Many European countries won't buy zero day exploits, but there are a select number of countries that will buy them," Dr Smeets added. "This includes the US government, which has a huge budget, and the UK government and we know typically they are bought by the intelligence agencies like the CIA or the NSA, although as we see more countries establish military cyber commands they may be interested too."

How spyware like Pegasus uses zero day exploits

NSO’s flagship Pegasus software, one of the major players in the spyware sector, can be deployed to iPhone and Android devices remotely to give the client access to the data and sensors on the target phone. It is classified as a weapon by the Israeli government and its sale is restricted to foreign governments but not private entities.

It makes use of zero day exploits to infiltrate a device without the owner noticing and once in the system can copy messages, harvest photos, record calls and even secretly record through the camera or microphone.

NSO Group has been hit by multiple lawsuits after allegations its tools had been misused by governments and non-governmental agencies to hack the mobile phones of journalists and politicians. The company says its technology is intended to help in the fight against terrorism as well as catch paedophiles and criminals.

Apple zero day exploits common in 2022

Earlier this month Apple was forced to publish an urgent update for iOS, iPadOS and macOS to fix a pair of zero day vulnerabilities that were already being exploited by cybercriminals. These were the sixth zero day patches since January, not including zero day vulnerabilities in software that runs on Apple devices.

Apple has now had to issue six zero day patches since January which shows the “persistency of attackers looking for vulnerabilities in popular applications”, according to Jake Moore, global cybersecurity advisor at ESET. “Moreover, finding one in a Mac can be extra lucrative due to many people still wrongly assuming Macs are always protected without bespoke security and antivirus installed," Moore said.

He criticised a lack of information from Apple on the vulnerabilities, describing it as a “big update” that should be installed immediately. “Issues with the kernel usually mean big potential problems and means people should update straight away,” he said.

“Unfortunately, being able to take over the operating system, hackers would be able to control whatever they desire making this a very serious flaw indeed and would need patching immediately," he said.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Can DAOs survive the onslaught of cybercrime?