Bug hunters fail third year in a row to get top prize in Android hacking program

Bug hunters earned over $3 million in rewards for security flaws found in the Android OS since 2015.
Written by Catalin Cimpanu, Contributor

Security researchers have failed to win the top reward in Google's Android bug bounty program once again. This is the third year in a row bug hunters fail to win the largest prize Google is willing to pay for any type of security-related bug.

Anyone who would have submitted a successful submission for a remote exploit chain leading to a TrustZone or Verified Boot compromise on an Android device could have earned up to $200,000, according to the Android Security Rewards, the name of Google's Android bug bounty program.

Also: Tens of iOS apps caught collecting and selling location data

Over the years, researchers have found it very difficult to put together remote exploit chains that could compromise TrustZone or Verified Boot, two of the Android OS' most powerful security features.

Google offered meager rewards in the program's first year, in 2015, but seeing that researchers weren't coming up with remote exploits against TrustZone or Verified Boot, the company increased rewards to $50,000 in June 2016, and then to $200,000 last year, in June 2017.

Project Zero, Google's in-house team of security researchers, also held their own separate contest between September 2016 and March 2017, during which they also offered a $200,000 reward for the same type of remote Android hack, but nobody managed to claim that prize either.

TechRepublic: Google's Android Things is here, boosting security for enterprise IoT deployments

But despite failing to gain the top prize in Google's Android bug bounty, researchers were extremely prodigious in finding other security flaws. In a blog post today, Google said that since the program's launch in 2015, the company paid over $3 million in rewards, with roughly $1 million per year.

In a retrospective of the past year, Jason Woloz and Mayank Jain of the Android Security & Privacy Team said 99 different bug hunters submitted 470 vulnerability reports in the past year.

The average payout per approved bug report was $2,600, while the average payout per researcher was $12,500, up 23 percent compared to last year.

This year's highest bug payout went to Guang Gong, a Chinese security researcher with Alpha Team at Qihoo 360 Technology Co. Ltd., who received $105,000 for a remote exploit chain formed of two vulnerabilities (CVE-2017-5116 and CVE-2017-14904) against a Google Pixel device. To date, this is Google's highest payout for an Android bug.

CNET: Best Android Apps for 2018

But bug hunters were also successful in another Android-related bug bounty program, which is the Google Play Security Reward Program.

Launched last year in October, this program rewards researchers who find bugs in popular third-party Android apps. Google said it accepted 30 bug reports in the past year and paid a combined bounty amount of over $100,000.

Last but not least, similar to last year, Google also published today a list of 250 Android smartphone models that are currently running a version of the Android OS running a security update from the last 90 days.

Google started publishing this list last year in an effort to recognize phone makers who keep their devices up to date, and also provide a guiding list for users who want to purchase a device that regularly receives security updates.

This year's list includes devices from makers such as ANS, ASUS, BlackBerry, Blu, bq, Docomo, Essential, Fujitsu, General Mobile, HTC, Huawei, Itel, Kyocera, Lanix, Lava, LGE, Motorola, Nokia, OnePlus, Oppo, Positivo, Samsung, Sharp, Sony, Tecno, Vestel, Vivo, Vodafone, Xiaomi, ZTE, and, of course, Google itself.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards