Zero-day exploits targeting WhatsApp have become a hot commodity in the world of hacking, commanding multi-million-dollar price tags.

A working zero-day exploit for WhatsApp can be paid millions of dollars, according to this TechCrunch report [1],

The leaked documents showed that in 2021, a zero-day exploit enabling a hacker to compromise a target's WhatsApp on an Android device was priced between $1.7 and $8 million

The report also stated that the cost of zero-day WhatsApp exploits is increasing due to the high demand for iOS and Android security. The bugs listed in the reports were patched close and they do not present a current danger to its users.

Zero-Day

A zero-day exploit is a type of cyber attack that targets a software vulnerability that is unknown to the software vendor or antivirus vendors. The term "zero-day" refers to the fact that the vendor or developer has only just learned of the flaw, which means they have "zero day" to fix it. A zero-day attack takes place when hackers exploit the flaw before developers have a chance to address it.

Zero-day exploits can be sold on the dark web for large sums of money. Once an exploit is discovered and patched, it is no longer referred to as a zero-day threat. Zero-day attacks are especially dangerous because the only people who know about them are the attackers themselves. Zero-day vulnerabilities can take multiple forms, such as missing data encryption, missing authorizations, broken algorithms, bugs, problems with password security, and so on. Organizations that are attacked by a zero-day exploit might see unexpected traffic or suspicious scanning activity originating from a client or service.

A WhatsApp zero-day bug allows hackers to execute a code and take full app control remotely. The bug affects both Android and iOS versions of WhatsApp and allows attackers to execute an arbitrary code remotely. There were two known reports on WhatsApp zero-days back in 2022 and they were discovered internally and fixed by the WhatsApp team itself [2].

Zero-Day Market

The market for zero-day exploits is a commercial activity related to the trafficking of software exploits.

As zero-day exploits are mainly used to get remote access to both stored and transmitted data, it can be expected that the market for zero-day exploits to be flourishing, with cybercriminals keen to exploit these previously unknown vulnerabilities, and private companies and national governments looking to use them to gain a commercial or geopolitical edge [3].

Some of the influences of cost and demand (as in the case of the reported Whatsapp zero-day exploits) include:

1. The security level of the operating system: iOS and Android devices have improved their security mechanisms and mitigations, making it harder to hack them. Therefore, zero-day exploits that can compromise these devices are more valuable and rare.
2. The geopolitical climate: Some countries or regions may have more interest or need to hack WhatsApp users, especially those who are involved in political or social movements. For example, a Russian firm recently offered $20 million for zero-day exploits that can compromise iOS and Android devices [1].
3. The type of exploit: Some exploits are more powerful and stealthy than others, requiring no interaction from the target and allowing extensive surveillance capabilities. For example, a specific type of exploit called “Zero Click RCE” (Remote Code Execution) can remotely run code inside WhatsApp and monitor, read, and exfiltrate messages. This exploit was available for around $1.7 million in 2021 [1].

The zero-day exploit market is a market with extreme information asymmetries, where the seller has much more information about whether the exploit is actually working and many of the exploits offered are a lot less reliable than sellers initially report [4]. Additionally, the zero-day market suffers from other complications, such as delivery time and availability often impeding sales and is extremely prone to market failure [4].

WhatsApp Zero-Day Vulnerable Groups

1. Government Agencies
   Targeted because: Government hackers frequently target WhatsApp to gather intelligence, monitor political dissidents, and maintain national security.
   Vulnerable because: Government agencies often have high-value, sensitive information. They may use WhatsApp for communication, and breaching these communications can yield valuable data on political strategies, diplomatic relations, and national security issues. The demand for zero-day exploits in this sector is high due to the strategic advantages such information provides.

2. High-Profile Individuals
   Targeted because: High-profile individuals, such as politicians, business leaders, and celebrities, are attractive targets for government hackers due to their influence and access to valuable information.
   Vulnerable because: These individuals possess information that can be politically, economically, or socially influential. Their conversations might involve confidential business deals, political strategies, or personal matters. Breaching their WhatsApp communications can provide a wealth of sensitive data that can be exploited for various purposes, including political manipulation, economic espionage, or public relations damage.

3. Journalists and Activists
   Targeted because: Journalists, activists, and human rights defenders often challenge government actions and policies. Governments may target them to suppress dissent, control narratives, or monitor their activities.
   Vulnerable because: Journalists and activists rely on secure communication channels like WhatsApp to protect their sources and discuss sensitive information. Breaching their conversations can reveal whistleblowers' identities, compromise investigations, or threaten the safety of vulnerable individuals. The 2021 Pegasus spyware attack highlighted the vulnerability of these groups, exposing the risks they face in their advocacy and reporting efforts.

4. Anyone Using WhatsApp
   Targeted because: While government agencies and high-profile individuals are specific targets, opportunistic hackers may still target anyone using WhatsApp.
   Vulnerable because: WhatsApp is one of the most widely used messaging platforms globally. Many individuals use it for personal, professional, or business communication. Opportunistic hackers may attempt to exploit zero-day vulnerabilities to gain access to personal conversations, contacts, financial information, or multimedia files. Even non-targeted individuals could fall victim to attacks aimed at stealing sensitive data, spreading malware, or conducting identity theft.

WhatsApp has responded to recent WhatsApp zero-day exploits by releasing security patches and updates to address the vulnerabilities [2][5]. The security patches and updates have fixed the remote code execution vulnerabilities in WhatsApp, which could have allowed an attacker to remotely access a device and execute commands from afar [5][6].

The affected versions of WhatsApp were WhatsApp for Android prior to v2.22.16.12, WhatsApp Business for Android prior to v2.22.16.12, WhatsApp for iOS prior to v2.22.16.12, and WhatsApp Business for iOS prior to v2.22.16.12 [6]. WhatsApp users are advised to update their apps to the latest version to ensure that they are protected from any known vulnerabilities.

Safeguards

1. Keep your WhatsApp app updated to the latest version: WhatsApp regularly releases security patches and updates to address known vulnerabilities. It is essential to keep your app updated to the latest version to ensure that you are protected from any known vulnerabilities.
2. Be cautious of suspicious links: Do not click on any suspicious links that you receive on WhatsApp. These links may contain malware or phishing scams that can compromise your device.
3. Use strong passwords and passcodes: Use strong passwords and passcodes to protect your WhatsApp account. It is also important to use two-factor authentication, which requires a second factor, such as a code sent to your phone or email, to access your account.
4. Enable end-to-end encryption: WhatsApp uses end-to-end encryption to ensure that only you and the person you are communicating with can read your messages. This means that no one else, including WhatsApp, can access them.
5. Use a VPN: Use a VPN that masks your traffic to protect against GSM operator MitM attacks, browsing HTTP sites, or DNS hijack.
6. Install a security suite: Install a security suite that scans for malware and checks and warns if the device is rooted.
7. Avoid messengers where you need to provide your contacts with your phone number: Once an attacker has your phone number, they can easily target you across many different messengers via this.
8. Be aware of WhatsApp's privacy settings: Change your privacy settings to ensure that you are not sharing sensitive information with strangers. For example, you can restrict access to your profile picture and hide your "last seen" timestamp.

References

[1] L. Franceschi-Bicchierai, “Zero-days for hacking WhatsApp are now worth millions of dollars,” TechCrunch, https://techcrunch.com/2023/10/05/zero-days-for-hacking-whatsapp-are-now-worth-millions-of-dollars/ (accessed Oct. 6, 2023).

[2] P. Ducklin, “WhatsApp ‘Zero-Day exploit’ news scare – what you need to know,” Sophos News, https://news.sophos.com/en-us/2022/09/27/whatsapp-zero-day-exploit-news-scare-what-you-need-to-know/ (accessed Oct. 6, 2023).

[3] M. Gooding, “The Zero Day vulnerability trade remains lucrative but risky,” Tech Monitor, https://techmonitor.ai/partner-content/zero-day-vulnerability-exploit-spyware (accessed Oct. 6, 2023).

[4] M. Smeets, “Hack Global, buy local: The inefficiencies of the Zero-day exploit market,” Default, https://www.lawfaremedia.org/article/hack-global-buy-local-inefficiencies-zero-day-exploit-market (accessed Oct. 6, 2023).

[5] C. Page, “WhatsApp fixes ‘critical’ security bug that put Android phone data at risk,” TechCrunch, https://techcrunch.com/2022/09/27/whatsapp-critical-security-bug/ (accessed Oct. 6, 2023).

[6] P. Arntz, “Critical whatsapp vulnerabilities patched: Check you’ve updated!,” Malwarebytes, https://www.malwarebytes.com/blog/news/2022/09/critical-whatsapp-vulnerabilities-patched-check-youve-updated (accessed Oct. 6, 2023).