Days after a malware called “Judy” hit over 36.5 million Android-based phones – Google is making it more lucrative than ever for Android hacking white hats, with rewards up to $200,000 via its Android Security Rewards program, for finding a critical vulnerability. Android Security Rewards program works just like other bug bounties. Security researchers who can demonstrate an exploit get a cash prize and public recognition, the amount of which varies based on the severity of the hack. Then, Google gets to fix the bug and avoid future security issues. By increasing the reward, Google hopes it will attract more researchers and engineers to the Android Security Rewards program.
Scope for Android Security Rewards program
As per Google,
Android Security Rewards program covers bugs in code that runs on eligible devices and isn’t already covered by other reward programs at Google. Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as the code that runs in chipset firmware, may be eligible if they impact the security of the Android OS.
The increased reward applies to two bounties;
- Vulnerabilities in TrustZone or Verified Boot
- A remote kernel exploit
Android is based on the Linux kernel, which has given the platform great flexibility over the years. However, the Linux kernel also comes with baggage. It has been the cause of several significant security breaches known as remote kernel exploits. An example of this would be the TowelRoot exploit, which could be used by users to gain root on a device. Of course, hackers could also use remote kernel exploits like that to infiltrate devices and steal data. The bounty for a new remote kernel exploit has gone up to $150,000 from $30,000.
Google considers a flaw in TrustZone or Verified Boot to be an even more serious matter. TrustZone is actually an ARM technology related to the SoC inside your device. It ensures that biometric data (fingerprints), DRM, and boot settings are kept in a trusted secure environment. Verified Boot was introduced in Android 4.4 KitKat as a way to make sure system software has not been tampered with each time a device starts up. An exploit that can silently alter the system would be a big problem. Google has increased the bounty for exploit leading to TrustZone or Verified Boot compromise from $50,000 to $200,000.
The Trivia | Google Android Security Rewards program
Google launched its Android Security Rewards program in 2015 as a means to rewarding ethical hackers for spotting bugs in the world’s most widely used mobile operating system. It recognizes the contributions of security researchers who invest their time and effort helping to make Android more secure. Through this program Google provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for complete reports that include reproduction code, test cases, and patches.
On a blog published on June 1, Mayank Jain and Scott Roberts, researchers from the Android Security Team wrote:
“Two years ago, we launched the Android Security Rewards program. In its second year, we’ve seen great progress. We received over 450 qualifying vulnerability reports from researchers and the average pay per researcher jumped by 52.3%. On top of that, the total Android Security Rewards payout doubled to $1.1 million dollars. Since it launched, we’ve rewarded researchers over $1.5 million dollars.”
Unfortunately (or fortunately) no payouts were made yet for the top reward for a complete remote exploit chain that could lead to TrustZone or Verified Boot compromise. By increasing the bug bounty, it’s worth the time for someone to put in the necessary effort to uncover a new bug that helps secure the Android ecosystem which sees over 2 billion active devices around the world. It is just a question of time whether it will be someone working for Google or a hacker trying to steal personal data. After all, no software is perfect.
Bug Bounty Programs
The Android Security Rewards program is similar to other Bug bounty programs in the tech industry. If a security firm, or individual, discovers an exploit and reports it to the respective company then they’ll receive a cash reward. The payouts vary based on the severity of the exploits. They help motivate individuals and groups of hackers not only to find flaws, but to disclose them properly when they do, instead of using them maliciously or selling them to parties that will. From there, the company uses that information to fix the exploit and avoid hacks by malicious organizations.
Google is clearly hoping to incentivize security researchers to dedicating more time trying to hack its mobile operating system. So what are you thinking? Gear-up Security researchers, now earn $200,000 via Android Security Rewards program!!