Exploit acquisition firm Zerodium announced on Tuesday that it’s offering up to $2.5 million for powerful Android exploits, more than what it’s offering for the same type of exploit on iOS.
Zerodium is now offering up to $2.5 million for what it describes as a “full chain” Android exploit that provides persistence and requires no user interaction (i.e. zero clicks). The same type of iOS exploit is worth up to $2 million.
The company also informed bug bounty hunters that it now offers up to $500,000 for exploits or techniques that can be used to achieve persistence on Apple’s iOS mobile operating system.
The maximum payouts for remote code execution and local privilege escalation exploits targeting WhatsApp (on both Android and iOS) and iMessage are now $1.5 million, up from $1 million. Exploits in this category don’t need to provide persistence, but they must work with no user interaction.
Zerodium has also decided to decrease some iOS-related payouts. Specifically, an iOS full chain exploit that provides persistence and requires only one click to trigger is worth up to $1 million, down from $1.5 million. In addition, the maximum reward for a remote code execution and local privilege escalation exploit for iMessage that does not provide persistence and requires only one click has been reduced to $500,000 from $1 million.
The company says these modifications are “in accordance with market trends.”
The security expert known as Grugq has a long thread on Twitter explaining why Android exploits are now worth more than iOS exploits.
Zerodium’s announcement comes just days after Google disclosed the details of five iOS exploit chains, including one that has been used to remotely hack iPhones for at least two years. The attack was carried out by what experts believe to be a state-sponsored threat group whose goal was to deliver spyware.