Flooded market for iPhone security flaws makes Android zero-days worth more than iOS
Exploit broker Zerodium will pay $500,000 more for top Android security flaws than Apple iOS exploits
More iPhone exploits are available in the market now than ever before, causing their prices to dip compared to Android exploit pricing.
That's according to the latest figures from vulnerability broker Zerodium.
Zerodium founder Chaouki Bekrar told Motherboardthat the supply of Apple iOS exploits has ballooned in recent months. As a result, Zerodium is now paying more for Android security than iOS flaws for the first time.
There are so many iOS exploits that we're starting to refuse some of them
"The zero-day market is flooded by iOS exploits, mostly Safari and iMessage chains, mainly due [to] a lot of security researchers having turned their focus into full time iOS exploitation," said Chaouki Bekrar.
"They've absolutely destroyed iOS security and mitigations. There are so many iOS exploits that we're starting to refuse some of them," he added.
Zerodium is known for buying exploits for Android and iOS and then selling access to those exploits to government clients.
But as a result of the flooded market Zerodium is now valuing Android hacks higher than iOS hacks.
Zerodium said it will now offer $2.5 million for exploits that faciliate "complete takeover" of Android devices without requiring any click from the user. However, the same vulnerability on the iPhone is only worth $2 million.
Most of the iPhone exploits currently available in the market are not 'intelligence-grade'
Zero day security flaws are the vulnerabilities that are not known to the companies developing the hardware or software. Such exploits are especially sought-after by government intelligence agencies and, therefore, can fetch a high price on various marketplaces.
According to Bekrar, Google has now been paying close attention to Android security, improving it with every new version. As a result, it has become more challenging and time consuming for security researchers to develop full exploit chains for Android.
It is even harder to write zero-click exploits, which don't require any user interaction at all.
Crowdfense, another exploit broker, told Motherboard that most of the iPhone exploits currently available in the market are not 'intelligence-grade' and therefore not highly useable by government clients, despite the wider usage of Android devices around the world.
Apple iPhone security has faced intense scrutiny in recent days after Google's Project Zero team claimed that hackers had been installing spyware on numerous iPhones for at least two years.
The researchers said they had discovered several hacked websites that exploited a series of previously undisclosed security flaws to indiscriminately attack any iPhone that visited them.
In general, Apple has a good reputation regarding its response on security matters. Last month, the company announced that it was increasing its maximum bug bounty from $200,000 to $1 million in a bid to ensure security researchers turn-in any security flaws they find to Apple - rather than selling them on the grey market.
Earlier this week, the company released a fix for a critical iOS security flaw accidentally reintroduced in its last update, after previously being patched.
The flaw, patched in iOS 12.3 but unpatched in iOS 12.4, enabled targeted iPhones and iPads to be 'jailbroken', enabling attackers to implant malware or take control of the device.