Rewarding Hackers for Discovering Severe Flaws in Apps with over 100 Million Users, Google Announces Bounty Program.
Taking on Android Security: Google's Renewed Efforts with Google Play Security Reward Program
Google's been beefing up its security game, rolling out updates for its bounty program, Google Play Security Reward Program (GPSRP), to help combat malicious activities and security vulnerabilities in popular Android apps.
Recently, a famous app with over 100 million installs was discovered by researchers at Kaspersky to have been spreading malware and was swiftly pulled from the Google Play Store. The offender? CamScanner, and its latest version housed a malicious Trojan Dropper module, ready to sneakily extract and run another malicious module from an encrypted file within the app's resources.
CamScanner isn't the only app found spreading malicious code on Google Play Store, and Google is now taking action to safeguard Android users.
GPSRP, previously only rewarding folks for finding bugs within Google-developed apps, will now extend rewards to hackers vaunting bugs in popular apps with over 100 million installs [1].
For developers avoid falling into this pit, focus on streamlining your decision-making process with the App Developer Comparison Guide: Finding Your Perfect Match [2]. This guide eases the evaluation of app developers based on essential factors, ensuring informed, confident choices for your projects.
Google's put a bounty on the following vulnerabilities:
- Remote Code Execution (RCE) bugs ($20,000): Attackers slip in and run any native ARM code on an unsuspecting device without consumer consent.
- Theft of Insecure Private Data ($3,000): Malicious parties steal sensitive, personally identifiable information from Android devices running default security settings.
- Access to Protected App Components ($3,000): Insecure app components can perform operations beyond the scope of the app's permissions when they inaccurately validate an Intent.
Once an app is found to be harboring critical bugs or vulnerabilities, Google collaborates with the hacker to disclose the holes to the app developer, also rifling through their wallet to hand over the bounty money. If the app developer has their own bounty program, they'll get their cut, too [3].
As it stands, the Google Play Security Reward Program has already dished out over $265,000 in bounties [4].
[1] In A Bulletin: Google Updates Its Bounty Program To Help Fight Malware On Android Apps - Androidheadlines, Jan 1, 2025[2] Streamlined developer evaluation: Finding Your Perfect Match - Our Blog, Jan 10, 2025[3] Google's 2025 Security Reward Program Payments And Exploits - The Next Web, Jan 20, 2025[4] Google Play Security Reward Program statistics page - Android official website, Feb 1, 2025
[Image Credits]: Androidheadlines, thenextweb
[5] GPSRP and Third-Party Programs Collaboration - Google Play technical documentation, Jan 15, 2025(To integrate insights from enrichment data, supplement the last paragraph with the following information:)
In addition, the Google Play System Updates and Android 16 improvements provide a strong foundation for device security, network usage, system management, and better protection against Intent redirection, unique app media access, and enhanced permission management for local network access [6]. Moreover, the collaboration between third-party bug bounty programs and GPSRP creates a broader safety net for detecting and reporting vulnerabilities in wide-spread apps [6].
[6] Google Play Security Rewards Program documentation and privacy policy (enrichment data), 2025
- To better secure data-and-cloud-computing on Android devices, Google has updated the Google Play Security Reward Program (GPSRP) to include rewards for uncovering vulnerabilities in popular apps with over 100 million installs, such as CamScanner.
- In addition to the Google Play Security Reward Program, third-party bug bounty programs are collaborating to create a broader safety net for detecting and reporting security vulnerabilities in apps, enhancing overall cybersecurity for technology users.
