Google has announced changes to its bounty program in a bid to tackle vulnerabilities found in popular Android apps.
Just this week, CamScanner, an app with over 100 million installs, was removed from the Play Store after it was caught spreading malware.
Discovered by Kaspersky researchers, CamScanner’s recent versions shipped with the malicious Trojan Dropper module which extracted and ran another malicious module from an encrypted file that is found in the app’s resources.
CamScanner is far from the only example of this happening and so Google is taking increased steps to protect Android users.
Whereas previously the Google Play Security Reward Program (GPSRP) only provided monetary rewards for apps developed by Google, the initiative has now been expanded to all apps over 100 million installs.
In a post published by Google engineers Patrick Mutchler, Sebastian Porst, and Adam Bacchus, they wrote:
“We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs.
These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.”
Google will coordinate between the security researcher and the affected app’s developer to ensure the vulnerability is fixed in a safe and responsible manner.
There are three types of vulnerabilities currently eligible for a GPSRP payout, these are:
- Remote code execution bugs ($20,000)
- Theft of insecure private data ($3,000)
- Access to protected app components ($3,000)
Where a popular app developer already has its own bounty program, security researchers will be able to collect a reward both from Google and the app’s developer. To date, GPSRP itself has paid out over $265,000 in bounties.
The new rewards should help to greatly boost the security of Android while incentivising researchers to do the right thing if a vulnerability has been discovered.