It'd be pretty silly to classify these as 0-day exploits that they paid for then!

I suppose so. The article does say "The attackers spent $1,400 on the black market for the details of 14 known, but not patched, bugs in WebKit." Yet it also explicitly mentions specific, old versions of Android which have the holes. This seems like something of a contradiction.