With malware creators becoming more aggressive and sophisticated, a number of tech companies in recent years have instituted “bug bounty” programs that provide monetary rewards to any individual or group that uncovers critical vulnerabilities in software. Google has had a bug bounty program for years now, but the search giant recently expanded the scope of the program beyond its own software developed in-house.
According to HackerOne, Google’s new bug bounty program now incentivizes hackers to unearth software vulnerabilities in some of the more popular third-party apps on the Play Store. The new program will presumably result in more secure Android apps while also limiting the damage whenever a serious issue is discovered. While perhaps not a common occurrence, it’s not all that unusual to see reports of malware infecting widely downloaded Android apps.
For anyone keen on tackling Google’s new software challenge, payments of $1,000 will be made for each verified software vulnerability.
The vulnerability criteria is laid out below:
For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof of concepts) that work on Android 4.4 devices and higher.
This translates to any RCE vulnerability that allows an attacker to run code of their choosing on a user’s device without user knowledge or permission. Examples may include:
- UI Manipulation to commit a transaction. For example, causing a banking app to make money transfers on behalf of the user without their consent.
- Opening of webview that may lead to phishing attacks. Opening webview without user input or interaction.
There is no requirement that OS sandbox needs to be bypassed.
Notably, the new bug bounty program, as it stands now, only applies to Google-developed Android apps and the following third-party apps: Alibaba, Dropbox, Duolingo, Headspace, Line, Mail.Ru, Snapchat, and Tinder. Down the line, though, the program may open up to include additional third-party apps.