Google Will Pay Hackers To Find Critical Bugs In Apps With Over 100m Installs

Google Will Pay Hackers To Find Critical Bugs In Apps With Over 100m Installs

With the rise in recently discovered security vulnerabilities found in popular Android apps, Google has announced new updates to its bounty program (Google Play Security Reward Program) to help fight and discover malicious and security vulnerabilities found in popular Android apps.

Just last month, one popular app with over 100 million installs has been discovered by Kaspersky researchers to have been spreading malware and was immediately removed from the Google play store.

The app in question was CamScanner, it’s most recent version contained the malicious Trojan Dropper module which would extract and then ran another malicious module from an encrypted file found in the app’s resources.


CamScanner is just one of the now growing number of apps found to have been spreading malicious code in the Google play Store and Google is now adding new measures to help protect Android users.

Google’s bounty program, called Google Play Security Reward Program (GPSRP) has been around for a long time but it only provided monetary rewards for finding bugs in apps developed by Google, and now the bounty program will also reward hackers who will find bugs in apps with over 100 million installs.

Google engineers Patrick Mutchler, Sebastian Porst, and Adam Bacchus wrote in a blogpost:

“We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs.

Dominate the App Store.

Get the latest industry news first.

These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.”

According to Google, here are three types of vulnerabilities eligible for a payout in the Google Play Security Reward Program:

Remote Code Execution (RCE) bugs ($20,000)

RCE vulnerabilities allows attackers to run any native ARM code on an infected device without the  user’s knowledge or permission.

Theft Of Insecure Private Data ($3,000)

Attackers gain unauthorized access to personally identifiable information and can steal them from infected Android devices that runs the default security settings.

Access To Protected App Components ($3,000)

When an app component processes a passed Intent (startActivity, sendBroadcast, startService, etc.) from another app without properly validating the Intent, this will result in the infected app performing an operation that the sending app doesn’t have permission to do.

Once an app is discovered to have critical bugs or vulnerabilities, Google will coordinate with the hacker to disclose the identified vulnerabilities to the app developer and pay them via the bounty rewards program. And if the app developer has their own bounty program, they will be able to get the rewards from the app developer and the cash reward from Google.

As of writing, the Google Play Security Reward Program has already paid over $265,000 in bounties.

Image Credits: Androidheadlines, thenextweb

Dominate the App Store.

Get the latest industry news first.

Roamni Case Study
How Jason & Greg Built an App Worth Over $5 Million
  • How to Get $100,000s in Funding for Your App
  • What Makes a Profitable and Successful App
  • 7 Critical Entrepreneurial Lessons From Jason and Greg
  • How to Create Apps that Get People Hooked