Skip to content
technologyCybersecurityFinance

Google Offers Rewards to Hackers for Identifying Critical Flaws in Popular Apps with More Than 100 Million Users

Rewards for Hackers: Google to Compensate Hackers Finding Critical Flaws in Top-Downloaded Android Apps, Starting at Least $100 Million.

 and  Administrator
3 min read
Google starts offering rewards to hackers who uncover essential flaws and vulnerabilities within...
Google starts offering rewards to hackers who uncover essential flaws and vulnerabilities within top Android apps boasting over 100 million downloads.

Fighting Off Malware on Google Play: New Measures Announced

Google's taking a stand against malicious software on its platform with fresh updates to the Google Play Security Reward Program. In a bid to rein in susceptible apps and combat cyber threats, these updates will provide incentives for security researchers to help uncover weak points and vulnerabilities in popular Android apps.

Recently, a popular app with over 100 million downloads was uncovered to be spreading malware, leading to its removal from the Google Play Store. The app in question, CamScanner, was discovered to contain a malicious Trojan Dropper module, silently extracting and running harmful code. This disturbing trend is growing, and Google is stepping up its game to protect Android users.

Previously, Google's bounty program, known as the Google Play Security Reward Program (GPSRP), only doled out money for discovering bugs in apps created by Google. However, the program is now broadening its scope to include rewards for security researchers finding bugs in apps with over 100 million installs.

In a recent blogpost, Google engineers Patrick Mutchler, Sebastian Porst, and Adam Bacchus stressed the importance of selecting reliable app developers in the competitive landscape of Android development. Their guide, "App Developer Comparison Guide: Finding Your Perfect Match," outlines:

  1. Streamlined decision-making: Effortlessly compare and assess app developers based on crucial factors.
  2. Tailored suitability assessment: Assign ratings to developers based on your project's unique requirements and preferences.
  3. Informed choices: Make confident decisions supported by comprehensive insights and considerations.
  4. Efficient selection process: Simplify the selection process with a structured framework for evaluation.

As announced by Google, the GPSRP now includes all apps with 100 million or more installs, allowing these apps to be eligible for rewards.

Google has specified three types of vulnerabilities eligible for a payout in the GPSRP:

Remote Code Execution (RCE) bugs ($20,000)

Attackers can exploit RCE vulnerabilities to run any native ARM code on an infected device without the user's consent or knowledge.

Theft Of Insecure Private Data ($3,000)

Malicious actors can gain unauthorized access to confidential data stored on vulnerable Android devices running default security settings.

Access To Protected App Components ($3,000)

App components that process passed Intents (such as startActivity, sendBroadcast, startService, etc.) from another app without proper validation can lead to the infected app carrying out operations that the sending app doesn't have permission to perform.

Once a vulnerable app is identified, Google will collaborate with the security researcher to reveal the uncovered vulnerabilities to the app developer and compensate the researcher through the GPSRP. If the app developer has their own bounty program, they will be able to claim additional rewards from the app developer, in addition to the payment from Google.

Since its inception, the Google Play Security Reward Program has rewarded over $265,000 to researchers.

Attribution: Androidheadlines, thenextweb

Insights:While specifics about the updates to the Google Play Security Reward Program aren't abundant, Google traditionally supports responsible disclosure of vulnerabilities through various programs. Eligible vulnerabilities often include those that could jeopardize user data or security, such as server-side request forgery (SSRF), SQL injection, or cross-site scripting (XSS). For further details, it is best to consult the official Google documentation or contact their security team directly. Upgrades in the Google Play system update, for instance, focus on enhanced security and improved device management, while Google Play Protect enables more robust protection for users.

  1. As Google broadens its Google Play Security Reward Program, it now offers incentives for discovering vulnerabilities in apps with over 100 million installs, opening a new avenue for cybersecurity experts in the realm of finance and technology to ensure the safety of millions of Android users.
  2. In light of the expanding importance of cybersecurity measures in technology, the Google Play Security Reward Program now provides financial rewards for researchers who find and report Remote Code Execution (RCE) bugs, Theft of Insecure Private Data, and Access to Protected App Components, demonstrating Google's commitment to mitigating cyber threats in the increasingly digital world of finance and technology.

Read also:

    Related

    Latest