But Maor Shwartz, an independent security vulnerability researcher and founder of the now defunct vulnerability brokerage firm Q-Recon, says the shifts match his own observations. “In today’s reality, the majority of targets are Android, and there are less and less vulnerabilities because a lot of them have been patched,” says Shwartz, who spoke about selling zero days to government customers at last month’s Black Hat security conference. “Starting a year ago, clients would ask me, do you know someone who works on Android and has vulnerabilities? I began to get this hunch that the market is changing.”
Shwartz says that a web-based attack that targets a high-end Android phone can now sell for more than $2 million non-exclusively, meaning that the researcher can sell it for that price to multiple buyers. An web-based iPhone attack, he says, is worth about $1.5 million non-exclusively. That ratio also holds more generally, he says; an Android attack is often worth roughly 30 percent its iPhone equivalent.
It’s long been tougher to find a way into a target device through a phone’s browser on Android than iOS, Shwartz argues, due to the relative security of Chrome versus Safari. But the real source of the changes that have made Android exploits more expensive, he says, is the difficulty of finding a so-called “local privilege escalation” exploit for Android, which allows an attacker to gain deeper control of a phone after they’ve already gotten a foothold. Thanks largely to increased security measures in Android phones, LPE exploits are now roughly as difficult to find for Android as they are for iOS, Shwartz says. Combined with the difficulty of finding a hackable browser vulnerability to start the chain of exploitation, that makes Android a harder—and more expensive—target overall.
Shwartz credits Android’s increased security partly to its open-source strategy finally paying off. While Apple has kept its operating system so locked down that even benevolent security researchers have difficulty sussing out its bugs—a problem it’s tried to solve with a recent expansion and opening up of its bug bounty program—Android’s open-source approach has meant more eyes on its code. While that broadness initially led to more bugs, those vulnerabilities have been patched over time, slowly hardening the operating system. “So many vulnerabilities have been patched that the attack surface is decreased dramatically,” says Shwartz.
Android has long suffered from security patching problems caused by dependence on third-party manufacturers and carriers. Those aren’t captured in Zerodium’s price list, since the company focuses on zero day vulnerabilities in fully patched devices.
But Google has, to its credit, been slowly making the innards of an Android phone less hacker-friendly, including in the release of Android 10 today: It’s adding new file-based encryption, for instance, and revamped “sandboxes” that silo off apps’ access from the rest of the operating system. In fact, Google has spent years adding “mitigations” that make hacking devices harder even when new security bugs are found. In 2018, for instance, it introduced Control Flow Integrity, designed to prevent a malicious program from jumping around in memory to circumvent an older security measure that randomizes the memory locations of code, and Integer Overflow Sanitization, designed to prevent the sort of bug that was exploited in 2015 by a class of attacks known as Stagefright.
But Shwartz notes that beyond those mitigations, the initially higher prices of iOS zero days also attracted outsized attention from security researchers, leading to a comparative glut of iOS attacks. The sheer volume of those attacks was highlighted just last week, when Google revealed that a hacking campaign had used five distinct full iOS exploit chains, embedding those attacks in websites to infect the phones of thousands of victims. In another Google discovery revealed last month, the company’s security researcher Natalie Silvanovich unearthed no fewer than six zero-click attacks for iOS.