A WhatsApp Zero-Day Can Fetch up to $8 Million, Leaked Documents Say

A cybersecurity researcher can make up to $8 million overnight by finding security weaknesses in WhatsApp and selling those findings to the highest bidder, according to a set of leaked documents obtained by TechCrunch.

Allegedly, “as of 2021, a zero-day allowing its user to compromise a target’s WhatsApp on Android and read the content of messages can cost between $1.7 and $8 million,” the American news outlet reports.

A working exploit chain – where multiple weaknesses are woven together – can fetch up to 20 million if it can abuse flaws in both Android and iOS.

One of the leaked documents reportedly says a company was selling a single, zero-click, remote-code-execution (RCE) flaw for around $1.7 million. Zero-click means the flaw can be triggered without input from the victim, while RCE means the weakness is remotely exploitable.

“The document said the exploit worked for Android versions 9 to 11, which was released in 2020, and that it took advantage of a flaw in the ‘image rendering library,’” according to the report.

While these flaws are now patched, new ones emerge almost every month, including for the iPhone. This year alone, Apple has issued over a dozen emergency security updates to plug zero-day vulnerabilities – many reportedly used in mercenary spyware attacks.

WhatsApp’s immense popularity makes it a hot target for nation-state actors looking to monitor and spy on high-profile targets like politicians, hacktivists, journalists, dissidents, and others. These actors are willing to pay handsomely to access their opponents' sensitive data and communications.

In an effort to combat this growing menace, Apple last year introduced Lockdown Mode on iOS and macOS, a feature designed to drastically reduce hackers’ attack surface by limiting functionality in certain apps and services.

NSO Group, a notorious spyware maker based in Israel, has been sued by both Apple and WhatsApp over hacks involving its Pegasus monitoring malware.

Pegasus, like most other types of spyware, is specifically designed to exploit the costly bugs described in TechCrunch’s report and can access almost every kind of data on a target device, including messages, images, and location data. It can also record sounds through the phone’s built-in microphone, as well as take photos through the device’s front and back cameras.

Always make sure your phone is up to date with the latest security updates issued by the vendor, and consider deploying a dedicated security solution on all your personal devices.