People are, beginning to notice that it is easy to hack an iPhone, and the number of Zero Day attacks has risen. This flies in the face of the Tame Apple Press, which claims that Apple is more secure than Android and always has been.
An updated price list published Tuesday shows Zerodium will now pay $2.5 million apiece for “full chain (Zero-Click) with persistence” Android Zero Days compared with $2 million for iOS Zero Days that meet the same criteria. The previous programme overview offered $2 million for unpublished iOS exploits but did not refer at all to the exploits for Android.
Zerodium founder and CEO Chaouki Bekrar said he paid on a “case by case basis depending on the chain” for Android exploits. But there was a glut of working iOS exploit chains that have coincided with the growing difficulty of finding comparable exploits for versions 8 and 9 of Android.
Bekrar said that in the last few months, his company had seen an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some of them.
"Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became hard and time-consuming to develop full chains of exploits for Android, and it's even harder to develop zero-click exploits not requiring any user interaction", he said.
"By these new technical challenges related to Android security and our observations of market trends, we believe that time has come to allocate the highest bounties to Android exploits until Apple re-improves the security of iOS and strengthens its weakest parts which are iMessage and Safari (Webkit and sandbox)."
Modern operating systems contain a variety of security protections that typically require attackers to combine two or more exploits in an attack chain, with each link tackling a different application or defence. Zero-click exploits are those that don’t require any interaction at all on the part of the end-user. An exploit that arrives in a text message and allows the attacker to take control of a device is an example. A one-click exploit, by contrast, requires the end user to take minimal action, such as visiting a booby-trapped website, Bekrar said.