Zero-day vulnerabilities for WhatsApp hacking now cost millions of dollars

The demand for hacking techniques targeting apps like WhatsApp, driven by escalating costs and complexities of hacking smartphones, has led to these techniques being valued at millions of dollars.

Girl Typing Phone Message On Social Network At Night

Recently, the landscape of hacking mobile devices, both iOS and Android, has evolved significantly, becoming a costly endeavour due to improved security mechanisms. This transformation has elevated the value of hacking techniques targeting apps like WhatsApp, which now command multimillion-dollar price tags.

Last week, a Russian firm specialising in purchasing zero-day vulnerabilities—undisclosed software flaws—made an offer of $20 million. This substantial sum was intended to acquire chains of vulnerabilities that would enable their exclusive clientele, described as ‘Russian private and government organisations’, to remotely compromise smartphones running iOS and Android. Notably, the high price is partly attributed to the limited willingness of security researchers to engage with Russian entities amid the ongoing Ukraine crisis. In such circumstances, Russian government customers may be inclined to pay a premium.

However, this trend isn’t confined to Russia alone; the demand for exploits has surged across global markets, particularly for vulnerabilities within specific apps.

Leaked documents dating back to 2021 indicate that a zero-day vulnerability capable of compromising WhatsApp on Android and accessing message content was valued between $1.7 million and $8 million. This substantial increase in prices has been observed across the security market.

WhatsApp has consistently been a target for government-sponsored hackers, who are likelier to employ zero-day vulnerabilities. Notably, in 2019, researchers exposed the use of a zero-day exploit by customers of NSO Group, a controversial spyware vendor, to target WhatsApp users. WhatsApp subsequently filed a lawsuit against NSO Group, alleging abuse of its platform to facilitate the exploitation of zero-day vulnerabilities against over a thousand WhatsApp users.

One leaked document from 2021 detailed the sale of a ‘zero-click RCE’ (Remote Code Execution) exploit in WhatsApp for approximately $1.7 million. RCE exploits are significant as they enable malicious actors to execute code remotely on the target device. In this case, the exploit allowed access to WhatsApp, enabling the monitoring, reading, and extracting of messages. The term ‘zero-click’ signifies that the exploit requires no interaction from the target, enhancing its stealthiness and making it more challenging to detect.

The document specified that the exploit was effective on Android versions 9 to 11, released in 2020, and exploited a vulnerability in the “image rendering library.” While WhatsApp addressed several vulnerabilities related to image processing in 2020 and 2021 (CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041), it remains uncertain whether these patches resolved the underlying vulnerabilities associated with the exploits available for sale in 2021.

WhatsApp declined to provide comments on the matter.

The appeal of targeting WhatsApp lies in its capacity to serve as a discreet channel for espionage, particularly for government-affiliated hackers. Sometimes, these hackers may solely seek to access a target’s WhatsApp conversations, obviating the need to compromise the entire device. Nonetheless, an exploit targeting WhatsApp could also function as part of a larger chain of vulnerabilities, facilitating broader access to the target’s device.