In 2015, a “bug bounty program” for Android was implemented by Google. Any ethical hacker or security investigator that provided information on possible exploits would be in the market for a cash prize – and a hefty one at that.
Despite this, in the two years of this program’s activity the number of reported bugs has been low. After the Judy Malware hit Android phones recently, the frustration became amplified on Google’s part. Of course the entire point of the bug bounty program is to prevent attacks similar to Judy Malware.
Judy Malware was named after the app that spread the malware infection – Chef Judy: Picnic Lunch Maker. In Check Point’s mobile research blog, they explained the Judy Malware:
“The malware, dubbed ‘Judy’, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.”
After 4.5-18.5 million downloads, the malware app was finally taken down from Google’s play store. Although Google’s bug bounty program has had (even limited) success over the years, Google has now raised the bounty even higher. The company is now offering anywhere anything from $100 to $31,337, depending on the bug.
There are also many other factors that play into the bug bounty program, such as terms and conditions. Google defines an appropriate reported exploit as any application concern that significantly disturbs the privacy/veracity of user data.
Google does clarify on the extent of purposeful exploiting:
“Note that the scope of the program is limited to technical vulnerabilities in Google-owned browner extensions, mobile, and web applications; please do not try to sneak into Google offices, attempt phishing attacks against our employees, and so on.”
Google released a list of common exploit examples:
- Cross-site scripting
- Cross-site request forgery
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs