View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 4, 2019updated 06 Jul 2022 6:54am

Android Zero Days Now Worth More than iOS: Exploit Broker

Average payout for critical vulnerabilities on HackerOne: $3,384

By CBR Staff Writer

Android zero days (previously unseen vulnerabilities that can be used by hackers) are now worth more on the exploit market than iOS vulnerabilities for the first time, according to broker Zerodium, which has updated its price list to reflect what it says is a “flood” of iOS exploits.

Zerodium says it is now offering $2.5 million for a “full-chain”, zero-click exploit of the Android operating system that has persistence (continues to be usable by an attacker after the OS is rebooted). It has also increased payouts for Whatsapp and iMessage exploits by $500,000.

See also: Why Mobile Apps are a Headache for Critical Public Services

It has halved the price it is paying hackers for Apple iOS full chain (1-Click) with persistence exploits to $500 from $1 million, also halving its fee for iMessage remote code execution with local privilege escalation.

The move comes a week after Google revealed a series of so-called watering hole websites were being used by an unknown APT to hack iPhones, using up to 17 unpatched vulnerabilities and zero days — and follows Apple’s own decision to overhaul its bug bounty programme.

Apple now offers a $1 million bounty for proof of a zero-click, full chain kernel code execution attack; a sharp increase from $200,000, and has opened the programme up to all white hats, rather than it being invitation-only. The escalating price hikes on both the white hat and black hat side of the table represent something of a mobile operating system arms race.

Read this:  Thousands of Fully Patched iPhones Exploited for Years, says Google – Who is the Mystery Attacker?

With Android being open source, it is arguably easier to identify bugs but also to harden the source code, rather than it being a closed ecosystem.

The decision by Zerodium comes as a company that offers a “perfect facsimile” of iOS for bug hunters to use, Corellium, is being sued by Apple.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Apple argues that Corellium, which is much admired by those seeking to find vulnerabilities in its iOS, “makes no effort whatsoever to confine use of its product to good-faith research and testing of iOS.”

While both exploit brokers like Zerodium and bug bounty programmes tout vastly increased payouts, the reality is often rather different: the average bounty paid for critical vulnerabilities in 2018 on the HackerOne platform was $3,384: while a 48 percent increase over last year’s average of $2,281, even a string of critical vuln. finds is unlikely to create many millionaires.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.