The Rising Value of Zero-Day Exploits Targeting WhatsApp

In recent years, the value of zero-day exploits, particularly those targeting popular messaging apps like WhatsApp, has surged to unprecedented levels. These vulnerabilities, unknown to the developers of the affected software, have become a lucrative market for hackers and state-sponsored entities alike.

Key Highlights:

  • A Russian company recently offered $20 million for chains of bugs that could compromise both iOS and Android phones.
  • Zero-day exploits targeting WhatsApp can now range between $1.7 million to $8 million.
  • WhatsApp has been a prime target for government hackers, with instances of its vulnerabilities being exploited in the past.
  • In 2021, a zero-click Remote Code Execution (RCE) exploit in WhatsApp was reportedly sold for around $1.7 million.
  • The value of targeting WhatsApp lies in its widespread use and the wealth of information that can be extracted from its chats.

The Market Dynamics:

Thanks to advancements in security mechanisms and mitigations, hacking mobile devices, whether they run on iOS or Android, has become a costly affair. This has led to a significant increase in the value of hacking techniques for apps like WhatsApp. A recent revelation from TechCrunch highlighted that a Russian company, which purchases zero-days, offered a staggering $20 million for vulnerabilities that would allow remote compromise of phones running on both major operating systems.

The Premium on WhatsApp Exploits:

Leaked documents from 2021 indicate that a zero-day exploit, which allows a hacker to compromise a target’s WhatsApp on Android and access message content, can cost anywhere between $1.7 and $8 million. This surge in price is attributed to the app’s popularity among users worldwide and its appeal as a target for government-backed hackers. In 2019, the controversial spyware maker, NSO Group, was found using a zero-day to target WhatsApp users. This led to a lawsuit by WhatsApp against the Israeli tech vendor.

The Technical Aspects:

In the realm of cybersecurity, a zero-click RCE is a significant threat. It allows hackers to remotely run code on the target’s device without any interaction from the user, making it stealthy and challenging to detect. In 2021, such an exploit for WhatsApp was being sold for approximately $1.7 million. This particular vulnerability affected Android versions 9 to 11 and exploited a flaw in the image rendering library. Over the years, WhatsApp has patched several such vulnerabilities, but the market for these exploits remains active.

The Bigger Picture:

While the focus on WhatsApp is evident, the broader perspective is that sometimes, entities, especially those from intelligence or law enforcement agencies, might only be interested in a target’s chats on WhatsApp. They might not necessarily want to compromise the entire device. However, an exploit in WhatsApp can also be a stepping stone to further compromise the target’s device, depending on the end goal of the attacker.


The world of zero-day exploits is evolving rapidly, with vulnerabilities in popular apps like WhatsApp fetching millions of dollars in the underground market. The reasons are manifold: the app’s popularity, the wealth of information it holds, and the strategic advantage it offers to state-sponsored entities. As the digital age progresses, the tug-of-war between hackers and developers is bound to intensify, with user data hanging in the balance.