Why ‘Zero Day’ Android Hacking Now Costs More Than iOS Attacks

For years, the iPhone was considered the most locked-down mainstream computing device in the world. Its popularity and layers of security protections made any technique to crack it vastly more rare—and more expensive, on the underground market—than comparable Android attacks. But now those economics have shifted. For the first time, a secret hacking tool capable of remotely taking control of an Android smartphone sells for more than its iPhone equivalent.

On Tuesday, the firm Zerodium, which buys and sells so-called zero-day exploits that take advantage of secret software vulnerabilities, published an updated price list. It now offers up to $2.5 million for a so-called zero-click hacking technique that fully, silently takes over an Android phone with no interaction from the target user. That’s not only the most Zerodium has ever offered for any single zero-day exploit; it’s also $500,000 more than the company offers for a zero-click attack that targets an iPhone. And Zerodium actually reduced the price of so-called “one-click” exploits that target iPhones via a web browser, from $1.5 million to $1 million. The price of some iMessage attacks dropped by half, from $1 million to $500,000.

“During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we’ve recently started refusing some them,” Zerodium’s founder Chaouki Bekrar wrote in a message to WIRED. Meanwhile, Bekrar writes, “Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it’s even harder to develop zero-click exploits not requiring any user interaction.”

Bekrar adds that for its top bounties, Zerodium focuses on Google, Samsung, Huawei, and Sony devices. “Exploits for other devices are still interesting and accepted but their price will be discussed on a case by case basis,” he writes.

Zerodium’s new numbers are a dramatic contrast from previous years. When the company released its original, more modest zero-day price list in 2015, it offered up to $500,000 for iOS attacks and a maximum of just $100,000 for Android hacking techniques.

Zerodium

Despite its distinction as the only public list of zero day values, Zerodium’s price chart doesn’t necessarily represent what zero-day buyers like law enforcement and spy agencies might actually pay for fresh hacking tools. Some in the security industry consider Zerodium’s list largely a marketing tool for the company, meant to influence prices rather than record them.

But Maor Shwartz, an independent security vulnerability researcher and founder of the now defunct vulnerability brokerage firm Q-Recon, says the shifts match his own observations. “In today’s reality, the majority of targets are Android, and there are less and less vulnerabilities because a lot of them have been patched,” says Shwartz, who spoke about selling zero days to government customers at last month’s Black Hat security conference. “Starting a year ago, clients would ask me, do you know someone who works on Android and has vulnerabilities? I began to get this hunch that the market is changing.”

Shwartz says that a web-based attack that targets a high-end Android phone can now sell for more than $2 million non-exclusively, meaning that the researcher can sell it for that price to multiple buyers. An web-based iPhone attack, he says, is worth about $1.5 million non-exclusively. That ratio also holds more generally, he says; an Android attack is often worth roughly 30 percent its iPhone equivalent.

It’s long been tougher to find a way into a target device through a phone’s browser on Android than iOS, Shwartz argues, due to the relative security of Chrome versus Safari. But the real source of the changes that have made Android exploits more expensive, he says, is the difficulty of finding a so-called “local privilege escalation” exploit for Android, which allows an attacker to gain deeper control of a phone after they’ve already gotten a foothold. Thanks largely to increased security measures in Android phones, LPE exploits are now roughly as difficult to find for Android as they are for iOS, Shwartz says. Combined with the difficulty of finding a hackable browser vulnerability to start the chain of exploitation, that makes Android a harder—and more expensive—target overall.

Shwartz credits Android’s increased security partly to its open-source strategy finally paying off. While Apple has kept its operating system so locked down that even benevolent security researchers have difficulty sussing out its bugs—a problem it’s tried to solve with a recent expansion and opening up of its bug bounty program—Android’s open-source approach has meant more eyes on its code. While that broadness initially led to more bugs, those vulnerabilities have been patched over time, slowly hardening the operating system. “So many vulnerabilities have been patched that the attack surface is decreased dramatically,” says Shwartz.

Android has long suffered from security patching problems caused by dependence on third-party manufacturers and carriers. Those aren’t captured in Zerodium’s price list, since the company focuses on zero day vulnerabilities in fully patched devices.

But Google has, to its credit, been slowly making the innards of an Android phone less hacker-friendly, including in the release of Android 10 today: It’s adding new file-based encryption, for instance, and revamped “sandboxes” that silo off apps’ access from the rest of the operating system. In fact, Google has spent years adding “mitigations” that make hacking devices harder even when new security bugs are found. In 2018, for instance, it introduced Control Flow Integrity, designed to prevent a malicious program from jumping around in memory to circumvent an older security measure that randomizes the memory locations of code, and Integer Overflow Sanitization, designed to prevent the sort of bug that was exploited in 2015 by a class of attacks known as Stagefright.

But Shwartz notes that beyond those mitigations, the initially higher prices of iOS zero days also attracted outsized attention from security researchers, leading to a comparative glut of iOS attacks. The sheer volume of those attacks was highlighted just last week, when Google revealed that a hacking campaign had used five distinct full iOS exploit chains, embedding those attacks in websites to infect the phones of thousands of victims. In another Google discovery revealed last month, the company’s security researcher Natalie Silvanovich unearthed no fewer than six zero-click attacks for iOS.

Beyond just Android’s added security measures, that imbalance of attention to iOS compared to Android has helped to bump the price of Android zero days, says Shwartz. Those high prices shouldn’t be entirely comforting to high-risk Android users; the attraction of those higher rewards may in fact mean the operating system is due for an increased round of vulnerability research. “Now there’s a real need for Android vulnerabilities and the prices, because of this gap, have been skyrocketing,” Shwartz says. “Every researcher I’ve talked to, I’ve told them, if you want to make money, go focus on Android.”


More Great WIRED Stories

Read More