- Exploit brokers claim that we currently have the largest number of iOS exploits than ever before.
- In the same time, they are increasing Android full-chain exploits 12-fold, as they are scarce.
- Android security is saved and also cursed by its fragmentation, but programs like “One” are changing the picture.
We are living interesting times in terms of security on the mobile operating systems scene. Apparently, there are so many iOS exploits out there right now that zero-day brokers have started to refuse many of the new submissions they are getting. In the same time, Android has gotten hard to crack remotely, while the demand for full-chain zero-day exploits with persistence for it has suddenly grown beyond any precedent. This is depicted with clarity on how the zero-day payouts have formed. Zerodium is now paying $1 million for iPhone full-chain exploits (down by $500k), and a mind-boggling $2.5 million for Android full chain zero-click exploits (from $200k).
Besides the Zerodium new payout table that definitely says something about the current situation, a similar picture is painted by Crowdfense as well. As their director, Andrea Zapparoli told Motherboard, right now, there are more iOS chains than ever before. However, he clarifies that not all of these exploits are intelligence-grade, so there’s a lot of “market noise” as he puts it. Moreover, Zapparoli gives another explanation for why Android chains have gotten so pricey. As he said, Android is a fragmented landscape, so finding a universal chain that works universally is an almost impossible feat.
Contrariwise, Apple chains usually work on all iOS versions, as we characteristically saw in the recent story about the watering hole websites. In addition to this, Chrome is playing a pivotal role in the situation right now by itself. Google’s browser has grown into a tough nut to crack, and its security is beyond comparison to that of Safari’s. This drives valuable targets to the Android ecosystem, as more and more people who have reasons to protect themselves are starting to prefer Android over iOS.
The launch of Android 10 and all that it brought on the security front is definitely making Android exploits more valuable right now. However, the main issue with Android remains the problem of device manufacturers not offering the latest OS version to their customers. With programs like Android One and their increasing acceptance by the consumers, we are seeing an improvement on that front. Still, we have a long way to go before the situation resembles what happens in the Apple ecosystem. When this becomes the case, the payout discrepancy between the two platforms may grow even larger.