The market for zero-day exploits, especially for widely used apps such as WhatsApp, has become highly lucrative. TechCrunch reports that these exploits can now fetch millions of dollars. Leaked documents obtained by TechCrunch reveal that in 2021, a zero-click, zero-day exploit for the Android version of WhatsApp was priced between $1.7 and $8 million, indicating the high stakes involved in gaining remote access to a target's messages.
The documents further reveal that a company was offering a zero-click exploit for a remote code execution (RCE) vulnerability in WhatsApp for approximately $1.7 million. “The document said the exploit worked for Android versions 9 to 11, which was released in 2020, and that it took advantage of a flaw in the image rendering library.” In 2020 and 2021, WhatsApp addressed three vulnerabilities—CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041— all of which involved how the app processes images. However, it remains unclear whether these patches rectified the flaws exploited in 2021.
The surveillance market is booming, with intelligence agencies, law enforcement bodies, and zero-day brokers vying for exploits that can compromise devices and apps. Sometimes, a single vulnerability can enable spying on a target, while in other instances, threat actors chain multiple exploits to achieve the same result.
In September, the Citizen Lab and Google’s Threat Analysis Group (TAG) disclosed that three Apple zero-days (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) were used to install the Cytrox Predator spyware. These vulnerabilities were identified by Bill Marczak of The Citizen Lab and Maddie Stone of Google’s Threat Analysis Group, who have previously found numerous actively exploited zero-days in Apple products, targeting high-profile individuals.
Operation Zero, a Russian zero-day broker firm, has recently raised its payouts for top-tier mobile exploits. The firm is prepared to pay up to $20 million for zero-day exploits for iPhone and Android devices, citing high market demand. The company, which caters primarily to the Russian market, including government agencies and private businesses, noted that the end-user for its exploits is a non-NATO country.