Earn $2.5 million if you find a remote zero-day exploit for Android

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Earn $2.5 million if you find a remote zero-day exploit for Android

Vulnerability broker Zerodium says it is now offering up to $2.5 million for zero-day remote exploits which would allow attackers to infect a remote Android smartphone with malware, with no user interaction required.

Zerodium is not offering the considerable reward because it wants to make the Android operating system a safer environment. Instead it believes it can make a handsome profit by selling such an exploit to the likes of intelligence agencies and law enforcement bodies.

Whereas the likes of Apple, Google, and Microsoft offer bug bounties for details of vulnerabilities in their software and then work on improving their code to protect their userbase, Zerodium offers ways to crack into devices to whoever is prepared to stump up the cash.

Sign up to our free newsletter.
Security news, advice, and tips.

I suspect that the majority of Zerodium’s customers are not software manufacturers, but governments and intelligence agencies who use use the zero-day exploits to spy on suspected criminals, terrorists, persons of interest, and foreign nations.

And those types of customers have a vested interested in the likes of Apple, Microsoft, and Google not patching the bugs. After all, once a zero-day vulnerability is fixed its value reduces considerably.

Zerodium chart

What I find interesting is that Zerodium’s offer up to $2.5 million for a “full chain (Zero-Click) with persistence” exploit is actually greater than the equivalent no user interaction exploit for iOS (for which a paltry $2 million is offered).

In fact, citing “market trends”, the controversial vulnerability broker has actually decreased some of its payouts for iOS exploits. For instance, the maximum an iOS full chain exploit that provides persistence and requires only one click from the victim is now worth up to $1 million, rather than the previous $1.5 million.

Thankfully, not all vulnerability researchers are purely driven by maximising the amount of money they can make from their discovery. Many feel passionately about the importance of privacy, and would be revolted by the thought that an oppressive government could use it to spy upon its citizens

We only have Zerodium’s word for it that they would ever give such a large amount of money to someone who came up with a way of remotely compromising a fully-patched Android device without the user having to make a single click. But it’s hard not to believe that there are plenty of governments and intelligence agencies who would pay handsomely for just such a tool.

Further reading: There’s an interesting thread on Twitter by The Grugq as to why he believes Android exploits are commanding higher prices than those for iOS.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.