An overabundance of iOS 0 days pushes their price below the cost of those for Android

For the first time, the security operating solutions broker, Zerodium, is paying a higher price for "zero day" attacks targeting Android than for comparable attacks targeting iOS.

An updated price list released Tuesday indicates that Zerodium will now pay $ 2.5 million each for the "full chain (Zero-Click) persistently" Android Zero Days, against $ 2 million for iOS under zero days responding to the same criteria. The previous preview of the program offered $ 2 million for unpublished iOS exploits, but made no reference to Android exploits. Zerodium's founder and CEO, Chaouki Bekrar, told Ars that the broker had been paid "case by case, depending on the channel" for Android's exploits.

"Flooded by iOS exploits"

Bekrar told Ars that this decision was motivated by an overabundance of iOS running channels that coincided with the growing difficulty of finding comparable exploits for Android versions 8 and 9. In a message, Bekrar wrote:

In recent months, we have seen an increase in the number of iOS exploits, mostly Safari and iMessage channels, developed and sold by researchers around the world. The day zero market is so inundated with iOS exploits that we've recently started to deny some [of] their.

On the other hand, the security of Android improves with each new version of the operating system thanks to the security teams of Google and Samsung. So it became very difficult and tedious to develop complete Android exploit chains and it was even more difficult to develop zero clicks. exploits requiring no interaction of the user.

In keeping with these new technical challenges related to Android security and our observation of market trends, we think the time has come to award the highest bonuses to Android's exploits until Apple improves security. of iOS and strengthens its weakest parts, namely iMessage and Safari (Webkit and sandbox).

Modern operating systems contain various security protections that usually require attackers to combine at least two exploits in an attack chain, each link attacking a different application or defense. Click-only exploits are those that do not require any interaction on the part of the end user. A feat that happens in a text message and allows the attacker to take control of a device is an example. In contrast, a one-click exploit requires the end user to take minimal steps, such as visiting a trapped website.

Wake up call

The price change comes four days after Google's Project Zero researchers announced that users of fully-patched versions of iOS were vulnerable to iOS zero-days, exploited in the wild for over two years. Attacks on 14 distinct vulnerabilities were grouped into five separate exploit chains, allowing attackers to compromise up-to-date devices.

The attacks were launched from a small collection of hacked websites that used these exploits to attack indiscriminately all iOS devices visited. Hackers used these exploits to install malware that stole photos, emails, login credentials, live location data, etc. from iPhones and iPads. Project Zero researchers have not identified any of the websites hosting the exploits. On Monday, researchers at the Volexity security company identified 11 websites serving Uyghur and East Turkestan visitors likely to serve iOS exploits. The Volexity publication stated that one of the sites also seemed to exploit an Android vulnerability that had stopped working in 2017 with the release of Chrome 60.

The Project Zero reports that websites have been openly and indiscriminately exploiting iOS zero days for more than two years, challenging many of the classic assumptions advanced by some security researchers about the security of the Apple mobile operating system. Previously, many assumed that one-click or one-click attack strings that ran against the latest version of iOS were so expensive and rare that they were used sparingly. The random way in which exploits were used on sites discovered by Project Zero suggested that unpublished iOS attacks were plentiful, despite the considerable expertise required to develop them.

"The last days of zero touching the Apple platform announced by Google's zero project have somewhat awakened our vision of the iOS ecosystem and its security," Ars Jérôme Segura, director of the company, told IRIN. intelligence threats at the malware provider Malwarebytes. "While it's true that Apple controls the hardware and that operating system updates are adopted quickly, we find that determined hackers are able to bypass iOS security mechanisms more than than previously."

The update of Zerodium indicates the price of $ 2.5 million applied to Android versions 8 and 9. The update makes no reference to Android 10, which was released Tuesday, but Bekrar told Ars that this version is also covered. While Zerodium is paying $ 2.5 million and $ 2 million for Android and iOS 'no-click channels, respectively, the highest price for comparable desktop operating system exploits exceeds million bucks.

"Mobile users should not be worried because the overall security of mobile devices is now far better than that of any laptop or computer," Bekrar said.