Fancy buying a compact and bijou cardboard box home in a San Francisco alley? This $2.5m Android bounty will get you nearly there

Bug seller Zerodium boosts payouts for 'droid, slashes iOS prices in half

Bug-broker Zerodium says it will cough up as much as $2.5m in exchange for techniques to silently and remotely hijack Android devices via critical vulnerabilities, signaling a major change in the pricing of security holes.

A new payment structure revealed on Tuesday made clear that flaw-hunters who hook Zerodium up with proof-of-concept full-chain exploits against Google's operating system can claim the $2.5m top prize. Meanwhile, payouts for iOS bugs, which had been considered much more valuable, have been cut by as much as half.

Zerodium did not say what the reasoning was for the move, though the announcement comes in the wake of reports that a handful of critical iOS and Android zero-days were used by the Chinese government to spy on Uyghur Muslims over the course of two or more years.

Pseudonymous infosec guru and ex-exploit-broker The Grugq suggested there is, right now, too much attention on iOS, and too many exploits available for those willing to pay for them, and so Zerodium is upping the price for a rare item – a reliable full-chain Android hijack exploit – to generate and reward interest in Google's platform.

To qualify for the massive payout, a hacker must fully compromised an Android device without any user interaction – such as opening a file – with persistence, meaning the compromise much survive a restart. It's not easy money. Such vulnerabilities are difficult to find in Android where applications are usually locked away in a sandbox that makes persistent system-level remote-code execution tricky, but not impossible, to achieve.

This is the first time Zerodium has offered a bounty for full-chain Android pwnage. Previous payments were limited to Chrome remote code execution and local privilege escalation flaws, each carrying a maximum payout of $500,000. The new bounty makes Android the most valuable target in Zerodium's bug-buying program. A comparable zero-click full chain bug in iOS will garner a $2m payout, while a zero-click RCE in Windows brings a maximum payment of $1m.

"The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc)," the bug broker notes.

Android Nougat

Google takes a little more responsibility for its Android world, will cough up bounties for mega-popular app bugs


In addition to upping the price for Android exploits, Zerodium says it will be bumping up the payouts for zero-click WhatsApp and iMessage remote code and privilege escalation from $1m to $1.5m.

Meanwhile, those looking to cash in on iOS vulnerabilities are in for some bad news, as Zerodium is cutting the payout for one-click (requiring the user to open a file) iOS and iMessage flaws from $1.5m and $1m, respectively, to $1m and $500,000.

Payouts for desktop and server exploits are unchanged.

The announcement comes just a week after Google expanded its bug bounty program for Android code and popular apps that run on it, although to nowhere near the prices Zerodium is offering. ®

Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Apple dev roundup: Weather data meets privacy, and other good stuff
    No AR/VR glasses but at least RoomPlan will let you make rapid 3D room maps

    WWDC Apple this week at its Worldwide Developer Conference delivered software development kits (SDKs) for beta versions of its iOS 16, iPadOS 16, macOS 13, tvOS 16, and watchOS 9 platforms.

    For developers sold on seeking permission from Apple to distribute their software and paying a portion of revenue for the privilege, it's a time to celebrate and harken to the message from the mothership.

    While the consumer-facing features in the company's various operating systems consist largely of incremental improvements like aesthetic and workflow enhancements, the developer APIs in the underlying code should prove more significant because they will allow programmers to build apps and functions that weren't previously possible. Many of the new capabilities are touched on in Apple's Platforms State of the Union presentation.

    Continue reading

Biting the hand that feeds IT © 1998–2022