For years, the iPhone was considered the most locked-down mainstream computing device in the world. Its popularity and layers of security protections made any technique to crack it vastly more rare—and more expensive, on the underground market—than comparable Android attacks. But now those economics have shifted. For the first time, a secret hacking tool capable of remotely taking control of an Android smartphone sells for more than its iPhone equivalent.

On Tuesday, the firm Zerodium, which buys and sells so-called zero-day exploits that take advantage of secret software vulnerabilities, published an updated price list. It now offers up to $2.5 million for a so-called zero-click hacking technique that fully, silently takes over an Android phone with no interaction from the target user. That's not only the most Zerodium has ever offered for any single zero-day exploit; it's also $500,000 more than the company offers for a zero-click attack that targets an iPhone. And Zerodium actually reduced the price of so-called "one-click" exploits that target iPhones via a web browser, from $1.5 million to $1 million. The price of some iMessage attacks dropped by half, from $1 million to $500,000.

"During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some them," Zerodium's founder Chaouki Bekrar wrote in a message to WIRED. Meanwhile, Bekrar writes, "Android security is improving with every new release of the OS thanks to the security teams of Google and Samsung, so it became very hard and time consuming to develop full chains of exploits for Android and it's even harder to develop zero-click exploits not requiring any user interaction."

Bekrar adds that for its top bounties, Zerodium focuses on Google, Samsung, Huawei, and Sony devices. "Exploits for other devices are still interesting and accepted but their price will be discussed on a case by case basis," he writes.

Zerodium's new numbers are a dramatic contrast from previous years. When the company released its original, more modest zero-day price list in 2015, it offered up to $500,000 for iOS attacks and a maximum of just $100,000 for Android hacking techniques.

Zerodium

Despite its distinction as the only public list of zero day values, Zerodium's price chart doesn't necessarily represent what zero-day buyers like law enforcement and spy agencies might actually pay for fresh hacking tools. Some in the security industry consider Zerodium's list largely a marketing tool for the company, meant to influence prices rather than record them.