Zimperium Announces Exploit Acquisition Program for Android and iOS

Accelerating how mobile security updates are delivered

- Company is allocating $1.5 million to purchase N-day exploits, which are still usable on unpatched devices

- Acquiring exploits furthers machine learning capabilities of Zimperium's core z9 engine

- Program will reward the work of security researchers and continue the push to improve the patch deployment process for Android and iOS

News provided by

Zimperium

Feb 01, 2017, 01:00 ET

SAN FRANCISCO, Feb. 1, 2017 /PRNewswire/ -- Zimperium, the industry leader in enterprise mobile threat defense (MTD) and the only provider of real-time on-device protection against known and previously unknown threats, today unveiled its Exploit Acquisition Program for Android and iOS devices. By focusing on N-days, or patched vulnerabilities, Zimperium is helping accelerate how mobile security updates are delivered.

Zimperium's program encourages security research by rewarding the hard work of researchers who wouldn't otherwise receive compensation. For example, professional hacking groups often purchase zero-day exploits for anywhere from a few thousand dollars up to 1 million dollars for a full, remote exploit chain. However, as soon as a patch is available, that exploit becomes worthless from a monetary perspective.

"Unfortunately, the security patching process for mobile devices' operating systems is extremely slow, which leaves companies and individuals highly vulnerable to dozens of security threats," said Zuk Avraham, Founder and Chairman at Zimperium. "Through this program, our customers, partners, and the infosec community will get access to exploits and exploit techniques so that they will be able to provide better protection from existing threats."

Zimperium is changing that model and allocating $1.5 million to purchase N-day exploits. A committee built from select members of Zimperium's renowned research team, zLabs, will evaluate remote and local exploits, information disclosure exploits and others, for purchase.

Zimperium will use the exploits to further enhance its machine learning-based threat detection engine, z9. Since many devices in BYOD and company-provided mobile device environments may be outdated and cannot receive patches, Zimperium will provide compatibility support for versions that vendors no longer support (e.g. Android 4.1).

With the researcher's permission, the exploit will first be released to members of the Zimperium's Handset Alliance (ZHA), which includes Samsung, Softbank, Telstra, Blackberry and more than 30 members from the most well-known handset vendors and mobile carriers in the world. For those that are not members of ZHA, Zimperium will publicly release the exploit, one to three months later, crediting the appropriate researcher. Security contacts of carriers and vendors are welcome to join ZHA at no cost.

Important Detail on Zimperium's Momentum

Read the blog post with all the details on the N-Days Exploit Acquisition Program.
Find out more about the Zimperium Handset Alliance.
Zimperium's zLabs found multiple vulnerabilities in AirDroid, which left millions vulnerable to Man-in-the-Middle (MITM) attacks, information leakage and remote hijacking.
Zimperium's machine learning-based threat defense solution detects unknown attacks without updates, including recent bugs like Ian Beer's new exploit targeting iOS 10.1.1, Gooligan and Pegasus.

Related Material

Read about zLab's researcher/senior developer Simone Margaritelli's experience hacking his own WiFi-enabled coffee maker, which further demonstrates how vulnerable IoT devices are in the wrong hands.
Watch Zimperium hack into an Android device on Crimewatch Daily.
Read how zLabs' Stagefright disclosure caused the Android ecosystem to reevaluate how it approaches security.
Watch zLab's researcher Joshua Drake discuss security vulnerabilities at DefCon.

Tags/Keywords
Mobile threat defense, Mobile cybersecurity, Machine learning.

About Zimperium®
Zimperium®, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium's patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps.

Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Zimperium, the Zimperium name and logo, Powered by Zimperium, zIPS, zIAP and z9 are registered trademarks or trademarks of Zimperium, Inc. in the US and other countries.