In the world of cybersecurity, a zero-day vulnerability refers to a security flaw in a software or operating system that is unknown to the developers, leaving it vulnerable to exploitation hackers. Recently, it has been reported that a zero-day vulnerability in WhatsApp, the popular messaging platform, was being sold on the black market for prices ranging from $1.7 to $8 million in 2021. However, according to experts, the prices have now skyrocketed even further.

Due to its widespread popularity, WhatsApp has become an attractive target for cybercriminals and state-sponsored hackers alike. In 2019, the notorious NSO Group spyware was being used to spy on WhatsApp users, leading to legal action taken WhatsApp against the Israeli manufacturer.

This particular vulnerability, known as Remote Desktop Execution (RCE), allowed attackers to remotely execute malicious code on the victims’ devices and gain access to their WhatsApp messages without any action required from the victims themselves. It was being sold for $1.7 million in 2021. Despite three vulnerability patches released between 2020 and 2021, this specific exploit, which targeted the “image-rendering library,” was actively exploited.

Experts in the field have noted that buyers of such exploits are particularly interested in the capabilities they provide, especially the ability to spy on users. If an exploit does not meet their requirements, they may need to purchase multiple pieces and combine them to achieve their goals.

Over the past few years, the value of these espionage techniques has been on the rise, particularly because they allow for the targeting of high-profile individuals using devices with more robust security systems, such as Apple’s iOS and Google’s Android operating systems.

In a further display of the increasing value placed on zero-day vulnerabilities, a Russian company that purchases such exploits reportedly recently offered up to $20 million for a chain of security flaws that would provide remote access to both iOS and Android smartphones.

Sources:

– TechCrunch