Prices for hacking techniques targeting apps like WhatsApp have reportedly reached millions of dollars, according to a report published today by TechCrunch.
Thanks to improvements in security mechanisms and mitigation processes, hacking mobile devices running on both Android and iOS has become a costly endeavor.
Last week, a Russian company sought to purchase instant vulnerabilities for $20 million in exchange for chains of vulnerabilities that would allow its clients, which it claimed were “Russian private and government organizations only,” to remotely hack Android and iOS phones.
This price increase may partly be attributed to the fact that there are not many researchers willing to work with Russia, which is currently invading Ukraine, and government clients in Russia may be more willing to pay a premium under the current circumstances.
Even in markets outside of Russia, the prices for vulnerabilities targeting specific apps have surged, documents seen by TechCrunch indicate that as of 2021, the price for an instant vulnerability that allowed users to compromise the WhatsApp app on Android and read message contents ranged from $1.7 million to $8 million.
WhatsApp has become a common target for government hackers. In 2019, researchers identified clients of the NSO Group using an instant vulnerability to target WhatsApp users.
Shortly after, WhatsApp filed a lawsuit against the Israeli spyware firm, accusing it of abusing its platform to provide its clients with vulnerabilities against over a thousand WhatsApp users.
According to one of the leaked documents, in 2021, one company was selling a vulnerability for remote code execution within WhatsApp without any user interaction for around $1.7 million.
This vulnerability allowed them to monitor, read, and filter WhatsApp messages. As it was a “zero-click” vulnerability, it required no interaction from the target, making it particularly secretive and difficult to detect.
In 2020 and 2021, WhatsApp fixed three security vulnerabilities, CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041, all related to how the app handled images. Whether these fixes addressed the underlying issues behind the vulnerabilities offered for sale in 2021 is unclear.
