Alphabet revealed that it paid an amount of $112,500 to Guang Gong, a member of Alpha Team for Qihoo 360 Technology Co. Ltd. in August 2017.
The reason for this payout was because Gong submitted “first working remote exploit chain” that could compromise Google Pixel devices.
The company also announced on its Android security team increased the amount of payouts as part of its ‘Android Security Rewards’ (ASR). The payment awarded to Gong was part of ASR and it was the highest in the history of the program. Out of the amount, $105,000 was paid by ASR program and the rest $7,500 by Chrome Rewards program. The thing to note here is that Google fixed the set of issues in its December 2017 Android security patch update.
According to the technical details that Google posted on its security blog, the ‘exploit chain’ comprises of two security bugs, CVE-2017-5116 and CVE-2017-14904. The first bug is related to the V8 engine where attackers can execute the remote code in the sandboxed Chrome render process. The second bug is related to ‘libgralloc’ module that is part of Android system. This allows the remote code execution to escape the sandbox.
To make it all simple, hackers can ‘inject’ code in the Android system_server with the help of a malicious URL. This means that the attackers can then push additional malware for hijacking or surveillance. The company has posted a detailed post which explains how the attacks and bugs work. According to a report by ZDNet, the scene by the company has awarded more than $15 million to security researchers with the top research team grabbing $3,00,000 for 118 reports about security flaws.