A report published today (Thursday) by technology website TechCrunch claims that hacking techniques for apps like WhatsApp have reached millions of dollars.
Due to improved security mechanisms and mitigation measures, hacking Android and iOS phones has become an expensive endeavor.
Last week, a Russian company that buys commercially available vulnerabilities demanded $20 million for a set of vulnerabilities that would allow its customers, supposedly “only Russian private and government organizations,” to exploit Android and iOS phones from a distance.
This price may be due in part to the fact that few researchers are willing to work with Russia in invading Ukraine, and that Russian government agents may be willing to pay a premium under current circumstances.
But double prices for some applications also rose in markets outside Russia.
Documents leaked by TechCrunch show that the cost of a zero-day vulnerability that allows users to hack into the target WhatsApp app on Android and read message content ranges between $1.7 million and $8 million in 2021.
WhatsApp in particular has become a popular target for government hackers, and in 2019 researchers exploited vulnerabilities in real time to monitor NSO Group clients and target WhatsApp users.
Shortly thereafter, WhatsApp filed a lawsuit against the Israeli spy company, accusing it of misusing its platform by providing its customers with real-time exploits against more than a thousand users of its application.
According to a leaked document, in 2021 a company sold a security vulnerability that allows remote code execution without user interaction on WhatsApp for about $1.7 million.
The vulnerability allowed them to monitor, read and filter messages on WhatsApp. Since they are “no-click” vulnerabilities, no interaction from the target is required, making them more subtle and difficult to detect.
The document says that the vulnerability affects Android versions 9 through 11 and exploits a vulnerability in the “photo display library.”
In 2020 and 2021, WhatsApp fixed three security vulnerabilities: CVE-2020-1890, CVE-2020-1910, and CVE-2021-24041, all related to how the app handles images.
It's unclear if the patches fix the bug in the 2021 version.