Google will pay hackers $200000 for finding bug in Android
The company has since a long time, had a bounty program wherein every individual that reports a zero day bug ( bug not previously known ) would get a monetary reward for their efforts. After the recent Judy & Fireball malware however, Google has upped the reward many times over.
Better safe than sorry
The upgrade in the bounty program should not come as a surprise to those aware of the recent malware attacks. Its been days since news of the Judy malware attack broke. For those unfamiliar with it, the attack consisted of a number of apps that existed on the Play Store which would install adware onto their user’s devices. There were reports that over 40 apps were infected with this malware – one that managed to get past Google’s malware filters and although Google did remove these apps from their Play Store, it is being reported that those 40 apps were cumulatively downloaded over 40 million times. With this in mind, it makes sense that Google would want to know and plug such loopholes quickly.
Google has been running the bounty program for around 2 years and is reported to have paid around $ 1.5 million in rewards. The monetary reward act as an incentive for researchers to find and report these bugs before cyber criminals can make use of them. While the amount can seem high, the potential financial loss if these bugs were used in attacks are incalculable and Google can certainly can’t afford them. Google apparently has now decided to utilize their deep pockets in making Android more secure by upping the bounty rewards.
The bounty system obviously has levels based on the seriousness of the bugs. The first level of reward for finding bugs that could allow an attacker to gain remote access to a device and use it to steal a user’s personal data was around $ 30,000 which will now be increased to $150,000 a 5X increase. The second level includes Verified Boot and Trust Zone bugs. Verified boot ensures that the phone’s software isn’t affected while Trust Zone covers security software, fingerprint scans, biometric data, system settings and more alike. The reward for these bugs was $50,000 which has now been upped to $200,000. A blog post was made in regards to these changes by the Android Security team,
“Rewards for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise increase from $50,000 to $200,000 – Rewards for a remote kernel exploit increase from $30,000 to $150,000.”
Recent attacks that might have inspired the upgrade
There were reports coming in recently that claimed in addition to the Judy malware we spoke about earlier, there was also another malware doing the rounds named Fireball. This malware also spread through apps and had amassed between 4.5 to 18 million downloads before they could be taken down. Some of these apps were reportedly around for years on the Play Store before attacking their users. Its a chilling reminder of the number of ways we are vulnerable to cyber attacks.