Days after a malware called “Judy” hit over 36.5 million Android-based phones, Google has now increased the bounty for finding a bug in the Android operating system to as much as $200,000, a media report has said.
According to cyber security firm Check Point, dozens of malicious apps were downloaded between 4.5 million to 18.5 million times from the Play Store. Some of the malware-affected apps have been discovered residing on the online store for several years.
“Judy” is only one example of how an open and free mobile operating system (OS) can be exploited by malicious app developers.
Google started the bug bounty program for Android about two years ago. It works just like other bug bounties the company has used for other products. Security researchers who can demonstrate an exploit get a cash prize, the amount of which varies based on the severity of the hack. Then, Google gets to fix the bug and avoid future security issues. Still, no one has submitted a working exploit for Android’s core components, even when such an exploit is worth $30,000-$50,000. So, by increasing the reward, Google hopes it will attract more researchers and engineers to the bug bounty program.
The increases reward applies to two bounties; one for vulnerabilities in TrustZone or Verified Boot, and the other for a remote kernel exploit. Android is based on the Linux kernel, which has given the platform great flexibility over the years. However, the Linux kernel also comes with baggage. It has been the cause of several significant security breaches known as remote kernel exploits. An example of this would be the TowelRoot exploit, which could be used by users to gain root on a device. Of course, hackers could also use remote kernel exploits like that to infiltrate devices and steal data. The bounty for a new remote kernel exploit has gone up to $150,000 from $30,000.