Russian firm is offering $20mn for hacking iPhone, Android smartphones
Operation Zero, a Russia-based company that deals in zero-day exploits, is offering up to $20 million for hacking tools that target iPhones and Android devices. This is a huge leap from their previous maximum payout of $200,000 for zero-day exploits, which are vulnerabilities in software that are unknown to the developer. The company said it is increasing the payouts for "top-tier mobile exploits" stating the reason as "high demand on the market."
'No risk of exploits falling into the wrong hands'
The boosted bounties offered by companies like Operation Zero could suggest that it's getting harder and pricier for governments and surveillance firms to obtain zero-day exploits. Shane Huntley, Senior Director of Google's Threat Analysis Group, views this as a positive development, stating that "these rising prices are a good sign that we are making zero-day more hard and expensive." Operation Zero goes on to claim that there's "no risk of exploits falling into the wrong hands."
Several other firms also offer zero-day bounties
Operation Zero isn't alone in offering bounties for zero-day exploits. Zerodium, established in 2015, provides up to $2.5 million for a chain of bugs that can hack an Android device without any interaction from the target. Another rival based in the United Arab Emirates, Crowdfense, dishes out up to $3 million for similar bug chains on both Android and iOS platforms.
The high demand for mobile exploits
The spike in payouts highlights the growing demand for zero-day exploits in the mobile market. Government actors and other entities are on the hunt for these vulnerabilities to compromise mobile devices for various reasons. As mobile security gets better, hackers need more advanced techniques and multiple zero-days to take over a targeted device, pushing up prices in this gray market. Catering exclusively to "Russian private and government organizations," Operation Zero, launched in 2021, claims its end-user is a "non-NATO country."
The unregulated market for zero-days
The zero-day exploit market remains largely unregulated, with prices swinging and customers' identities often kept under wraps. In some countries, companies may need export licenses from their governments to sell specific products or services. This results in a fragmented market influenced by politics. For example, a recent law in China mandates security researchers to report bugs to the Chinese government before informing software makers. Experts say this law means China is effectively monopolizing the market for zero-days for intelligence purposes.
