A recent report has unveiled the alarming trend in the hacking industry, revealing that the value of zero-day vulnerabilities, specifically for targeting WhatsApp, has skyrocketed. These zero-day flaws, which are unknown to the developers of the affected software, are now worth millions of dollars due to their potential to compromise the security of cell phones running iOS and Android.
The market for zero-day exploits has seen a significant surge in prices, with researchers discovering that flaws enabling the compromise of WhatsApp on Android and access to message contents can cost between
.7 and $8 million. The demand for such exploits is driven by government hackers and intelligence agencies seeking to spy on targets.
The High Stakes Game of Hacking
Zero-day vulnerabilities have become a highly sought-after commodity due to the significant advancements in security mechanisms and mitigations. The expenses associated with hacking cell phones, whether running iOS or Android, have risen substantially, resulting in a premium being placed on lucrative hacking techniques for popular apps like WhatsApp.
Government Demand and Rising Prices
A Russian company recently offered $20 million for chains of bugs that would enable their customers, exclusively Russian private and government organizations, to remotely compromise phones running iOS and Android. The lack of researchers willing to collaborate with Russia amidst ongoing geopolitical tensions and the willingness of Russian government customers to pay a premium contribute to the high price.
However, it is not just in the Russian market that prices have surged. Leaked documents reveal that zero-day exploits targeting WhatsApp on Android and granting access to message content have seen a substantial increase in value. According to sources, the prices for these exploits have skyrocketed, with a range of $1.7 to $8 million.
WhatsApp as a Prime Target
Government hackers have shown significant interest in targeting WhatsApp due to its popularity and widespread usage. In fact, the controversy surrounding the spyware maker NSO Group arose when researchers exposed their exploitation of a zero-day vulnerability to target WhatsApp users. Subsequently, WhatsApp filed a lawsuit against NSO Group, accusing them of abusing the platform for unauthorized surveillance.
Aside from the Russian market, leaked documents indicate that a zero-click remote code execution (RCE) exploit for WhatsApp was being sold for approximately $1.7 million. RCE refers to a type of vulnerability that enables hackers to remotely run malicious code on the target’s device, allowing them to monitor, read, and exfiltrate messages discreetly, even without the target’s interaction.
The Intricacies of Exploits on WhatsApp
The specific appeal of targeting WhatsApp lies in the fact that government hackers, particularly those working for intelligence or law enforcement agencies, may only be interested in accessing WhatsApp chats and do not require full access to the target’s entire device. However, an exploit exclusively for WhatsApp can also be part of a larger chain of attacks aimed at compromising the target’s device comprehensively.
WhatsApp has remained tight-lipped regarding the skyrocketing value of zero-days and the increasing vulnerabilities discovered in the app. The company declined to comment on the matter, leaving users concerned about the potential security risks associated with the messaging platform.
The market for zero-day exploits continues to thrive as hackers and government entities seek ways to infiltrate secure systems. As the value of these exploits continues to rise, it becomes increasingly crucial for developers and organizations to bolster their security measures and invest in robust vulnerability management strategies.