Bug-broker Zerodium says it will cough up as much as $2.5m in exchange for techniques to silently and remotely hijack Android devices via critical vulnerabilities, signaling a major change in the pricing of security holes.
A new payment structure revealed on Tuesday made clear that flaw-hunters who hook Zerodium up with proof-of-concept full-chain exploits against Google's operating system can claim the $2.5m top prize. Meanwhile, payouts for iOS bugs, which had been considered much more valuable, have been cut by as much as half.
Zerodium did not say what the reasoning was for the move, though the announcement comes in the wake of reports that a handful of critical iOS and Android zero-days were used by the Chinese government to spy on Uyghur Muslims over the course of two or more years.
Pseudonymous infosec guru and ex-exploit-broker The Grugq suggested there is, right now, too much attention on iOS, and too many exploits available for those willing to pay for them, and so Zerodium is upping the price for a rare item – a reliable full-chain Android hijack exploit – to generate and reward interest in Google's platform.
To qualify for the massive payout, a hacker must fully compromised an Android device without any user interaction – such as opening a file – with persistence, meaning the compromise much survive a restart. It's not easy money. Such vulnerabilities are difficult to find in Android where applications are usually locked away in a sandbox that makes persistent system-level remote-code execution tricky, but not impossible, to achieve.
This is the first time Zerodium has offered a bounty for full-chain Android pwnage. Previous payments were limited to Chrome remote code execution and local privilege escalation flaws, each carrying a maximum payout of $500,000. The new bounty makes Android the most valuable target in Zerodium's bug-buying program. A comparable zero-click full chain bug in iOS will garner a $2m payout, while a zero-click RCE in Windows brings a maximum payment of $1m.
"The amounts paid by Zerodium to researchers to acquire their original zero-day exploits depend on the popularity and security level of the affected software/system, as well as the quality of the submitted exploit (full or partial chain, supported versions/systems/architectures, reliability, bypassed exploit mitigations, default vs. non-default components, process continuation, etc)," the bug broker notes.
Google takes a little more responsibility for its Android world, will cough up bounties for mega-popular app bugsREAD MORE
In addition to upping the price for Android exploits, Zerodium says it will be bumping up the payouts for zero-click WhatsApp and iMessage remote code and privilege escalation from $1m to $1.5m.
Meanwhile, those looking to cash in on iOS vulnerabilities are in for some bad news, as Zerodium is cutting the payout for one-click (requiring the user to open a file) iOS and iMessage flaws from $1.5m and $1m, respectively, to $1m and $500,000.
Payouts for desktop and server exploits are unchanged.
The announcement comes just a week after Google expanded its bug bounty program for Android code and popular apps that run on it, although to nowhere near the prices Zerodium is offering. ®