It is not a secret that Google pays out bounty in cash to people who discover legitimate bugs in Android, especially bugs that affect either their old Nexus flagships or the newer Pixel line of phones. Just recently, Google awarded a record amount of USD$112,500 to a Chinese researcher who discovered an exploit chain in Android under the Android Security Rewards program which increased their payout levels in 2017.
Guang Gong is a researcher who works for a Chinese security outfit called Qihoo 360 Technology. He discovered the bugs in Android – henceforth known as CVE-2017-5116 and CVE-2017-14904 – which were already resolved in Android’s December 2017 security patch. Google has announced that the full payout was made this week, and the security researcher is now richer by a hundred thousand dollars.
The exploit chain that the researcher discovered attacked the original Google Pixel phone, Google’s flagship mobile device for 2016. It was widely hyped for being one of the most secure Android phones for consumers. The vulnerability allowed a remote attacker to execute code via HTML inside the Chrome browser’s sandbox. The second bug allowed escape from Chrome’s sandbox, and when both were combined, the vulnerabilities allow attackers to remotely inject code into the Pixel’s system_server process.
— vangelis (@vangelis_at_POC) November 11, 2016
Google is investing a lot so that bugs in Android should come to light, and that they eventually squash said bugs with their regular monthly security bulletins. Qihoo 360’s team of researchers already know a bit about the Pixel phone, as they were the ones who cracked the Pixel in under 60 seconds at the Pwn2Own 2016 white hat hackfest via remote code execution.