But Maor Shwartz, an independent security vulnerability researcher and founder of the now defunct vulnerability brokerage firm Q-Recon, says the shifts match his own observations. "In today’s reality, the majority of targets are Android, and there are less and less vulnerabilities because a lot of them have been patched," says Shwartz, who spoke about selling zero days to government customers at last month's Black Hat security conference. "Starting a year ago, clients would ask me, do you know someone who works on Android and has vulnerabilities? I began to get this hunch that the market is changing."
Shwartz says that a web-based attack that targets a high-end Android phone can now sell for more than $2 million non-exclusively, meaning that the researcher can sell it for that price to multiple buyers. An web-based iPhone attack, he says, is worth about $1.5 million non-exclusively. That ratio also holds more generally, he says; an Android attack is often worth roughly 30 percent its iPhone equivalent.
It's long been tougher to find a way into a target device through a phone's browser on Android than iOS, Shwartz argues, due to the relative security of Chrome versus Safari. But the real source of the changes that have made Android exploits more expensive, he says, is the difficulty of finding a so-called "local privilege escalation" exploit for Android, which allows an attacker to gain deeper control of a phone after they've already gotten a foothold. Thanks largely to increased security measures in Android phones, LPE exploits are now roughly as difficult to find for Android as they are for iOS, Shwartz says. Combined with the difficulty of finding a hackable browser vulnerability to start the chain of exploitation, that makes Android a harder—and more expensive—target overall.
Shwartz credits Androi ..
Support the originator by clicking the read the rest link below.
