An exploit broker is offering millions of dollars for zero-day vulnerabilities that would allow to hack iPhones, Android devices, WhatsApp, and iMessage messaging apps.

Vulnerability acquisition company Crowdfense has updated its price list, according to which the firm is willing to pay up to $9 million for zero-click exploits that work via SMS or MMS and up to $7 million for iPhone zero-days. It is also offering up to $5 million for Android zero-days, up to $3.5 million for Safari exploits, up to $3 million for Chrome exploits, and for zero-click exploits in WhatsApp (up to $5 million), iMessage (up to $5 million), Signal, Telegram and other messaging services.

In Crowdfense's prior price list from 2019, the most lucrative payouts available were set at $3 million for zero-day vulnerabilities targeting Android and iOS platforms.

In a report last month, Google's Threat Analysis Group (TAG) said that 97 zero-day vulnerabilities were exploited in-the-wild in 2023, with the majority of exploitation attempts originating from commercial surveillance vendors (CSVs) and state-sponsored actors. CSVs, in particular, were found to be behind 75% of known zero-day exploits (accounting for 13 out of 17 vulnerabilities) targeting Google products and the Android ecosystem, as well as 55% (amounting to 11 out of 20 vulnerabilities) targeting iOS and Safari.