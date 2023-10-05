Zero-day exploits, which are undisclosed software vulnerabilities, have become highly sought after in the hacking market. The price for these exploits, particularly those targeting popular messaging app WhatsApp, has significantly increased in recent years. A Russian company recently offered $20 million for a chain of bugs that would enable remote compromise of iOS and Android devices. The demand for such exploits is driven government organizations and intelligence agencies that seek to spy on their targets.

A leaked document shows that a zero-day exploit for compromising WhatsApp on Android and accessing message content can cost between $1.7 and $8 million. The value of targeting WhatsApp specifically is that it allows hackers to gain access to chats without compromising the entire device. However, an exploit within WhatsApp can also be used in combination with other exploits to further compromise the target’s device.

WhatsApp has been a popular target for government hackers in the past. In 2019, the controversial spyware maker NSO Group was caught using a zero-day exploit to target WhatsApp users. WhatsApp subsequently sued NSO Group for abusing its platform. The leaked document reveals that a company was selling a “zero click RCE” exploit in WhatsApp, which allows remote code execution without any user interaction. The exploit targeted Android versions 9 to 11 and exploited a flaw in the image rendering library.

Improvements in security mechanisms have made hacking cell phones, whether running iOS or Android, more difficult and expensive. As a result, the value of zero-day exploits has increased. Hacking techniques for popular apps like WhatsApp are now worth millions of dollars. The market for zero-day exploits remains active, driven the demand from government and intelligence agencies.

Definitions:

Zero-day exploits: Undisclosed vulnerabilities in software that are unknown to the software developer.

Remote code execution (RCE): A security flaw that allows hackers to run code on a target’s device remotely.

