Hacking mobile devices, including those running iOS and Android, is now more difficult and expensive due to advancements in security methods and mitigations. Hacking methods for applications like WhatsApp are now valued at millions of dollars.
A Russian company that purchases “zero-days,” or software flaws that are unknown to the product’s developer, offered $20 million last week for a chain of bugs that would enable their clients, which the company claimed are “Russian private and government organizations only,” to compromise iOS and Android-powered smartphones remotely. Given the ongoing invasion of Ukraine, it’s likely that fewer researchers are eager to collaborate with Russia, and Russian government clients are more likely to be willing to pay more, given the current situation.
Prices have increased, though, even in areas outside Russia, including solely for bugs in particular apps.
According to leaked papers obtained by TechCrunch, a zero-day that enables its user to break into a target’s WhatsApp on Android and read the contents of chats can cost anywhere between $1.7 and $8 million as of 2021.
A security researcher with market knowledge who asked to remain anonymous because they weren’t permitted to speak to the press said, “They’ve shot up.”
Government hackers, more likely to employ zero-day vulnerabilities, frequently target WhatsApp. Researchers discovered NSO Group customers exploiting a zero-day exploit to attack WhatsApp users in 2019. Soon after, WhatsApp filed a lawsuit against the Israeli surveillance technology provider, alleging that it had abused the platform to enable its customers to use the zero-day attack against over a thousand WhatsApp users.
One of the released documents claims that in 2021, a business was charging $1.7 million for a “zero-click RCE” in WhatsApp. RCE, or remote code execution, is a term used in cybersecurity to describe a weakness that enables malevolent hackers to execute code remotely on a target’s equipment. Or, in this instance, within WhatsApp, enabling them to watch, read, and steal communications. The term “zero-click” alludes to the attack requiring no target contact, making it more covert and challenging to identify.
According to the document, the exploit was introduced in 2020 and was compatible with Android versions 9 to 11, taking advantage of a bug in the “image rendering library.” Three vulnerabilities — CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041 — involving how the app handles photos were all resolved by WhatsApp in 2020 and 2021. It’s unclear if these updates fixed the vulnerabilities that gave rise to the exploits offered for sale in 2021.
The benefit of focusing on WhatsApp is that government hackers, such as those employed by intelligence or law enforcement agencies, may occasionally be interested in a target’s WhatsApp messages, negating the need to attack the entire phone. However, a WhatsApp-specific attack could be a link in a chain that further compromises the target’s device.
“The exploit buyers are interested in the exploits for what they enable—spying on their targets,” said a security researcher with industry expertise who wanted to remain anonymous to discuss sensitive topics. “If the exploit they purchase does not provide them with everything they desire, they must purchase additional pieces and combine them.”
