Google promises $1,000 rewards according to their public bug bounty program which focuses on protection and detecting vulnerabilities in mobile applications available at Google Play store.
At the beginning, participants in the bug bounty program are going to work directly with app developers. Bug-hunters and developers will communicate through the HackerOne platform and for reported security issues can get an award of $1,000.
In the program announcement, Google said:
Developers of popular Android apps are invited to opt-in to the program, which will incentivize security research in a bug bounty model. The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem.
Bug-hunters will provide vulnerabilities and security issues directly to app developers who will have to verify the bug and create the solution for it. Once it’s done, participants will be able to ask for their reward from the bug bounty program by Google.
Google reported that the reward is only available to researchers that detect vulnerabilities triggered on Android devices that run 4.4 version or later. The detected vulnerabilities that are eligible for reward include:
- bugs that provide hackers with the capability to install and operate code on a device;
- webview-based vulnerabilities which display victims to phishing by launching web without consumer contact;
- or manipulation of consumer interface to make transactions.
The majority of apps in the scope are Google home-developed applications together with other apps such as Alibaba, Doulingo, Snapchat, Tinder, and others. There are other high-profile apps that could be potentially added, and according to Google more apps will expand the scope of bugs eligible for rewards of $1,000.
The bug bounty program does not include adware, spyware applications or rooting malicious programs.
According to Kaspersky Lab, Google has already removed 132 apps from its app store due to the malicious iframes case. The iframes malware was traced to a platform which was used by most of the developers and it was downloaded over 250,000 times.
Kaspersky Lab also announced about two other incidents that forced Google to remove tens of adware apps. The malware called SMSVova empowered cybercriminals to receive data on location and even change passwords.
The other malware, called SonicSpy was detected in three messaging apps that were available in Google Play store and over 1,000 other third-party Android app stores.
Google has also announced security tools for Android – Google Play Protect. Google Play Protect is internet security software which scans apps from malicious codes. The security system also scans apps from third-party stores that are not under Google’s Verify Apps scanner. Google aims to reach maximum protection from malware and malicious programs by employing Google Play Protect together with Google Play bounty program.