Google Expands Play Marketplace Bug Bounty Program

The move adds to Google’s efforts against malicious apps on the Play store.


Google is expanding the number of bounties available in its Google Play Security Reward Program, a step that comes amid a flurry of mitigation activities against malicious apps found in its official marketplace.

The company introduced the program in October, in a long-awaited move. Initially, its scope was limited to RCE (remote code execution) vulnerabilities, with rewards of $1,000. Going forward, Google is implementing a range of rewards for RCEs, going from $1,000 to $5,000.

Google is also adding a new category “that includes vulnerabilities that could result in the theft of users’ private data, information being transferred unencrypted, or bugs that result in access to protected app components.” These will carry a $1,000 award.

The jump in bounty size may be due to a number of factors, said Andrew Blaich, a security researcher at Lookout, via email. “The first is that Google is looking to better reward researchers for finding RCEs to make it more inline with what other bounty programs may pay defensive researchers,” Blaich said.

Also, “if Google makes the bounty more attractive it can hopefully reduce the use or selling of the RCE to an offensive exploit collection firm or used by the researcher themselves in an offensive manner,” he added. “The second possibility is that Google wants to make it more attractive for the finders of RCEs to find and report these vulnerabilities to Google rather than do something else with them.”

As for the new category, Google is likely doing so “because protecting private user data is one of their top concerns,” Blaich said.

The program changes were disclosed in a blog post that looked back at the track record of Google’s security reward programs, which also include ones for Google applications and Chrome. Overall, Google paid out nearly $3 million to security researchers in 2017. It also made grants totaling $125,000 to more than 50 security researchers, according to the post.

When first announced, the Play program was invite-only. Google did not immediately respond when asked whether it is now open to all researchers.

There are more than 3.5 million apps on the Play store at present, which makes policing it a sizable task. Google recent said it booted 700,000 apps from the store during 2017, a 70 percent rise over 2016. Ninety-nine percent of bad applications were removed before anyone could install them, Google said.

Bad app types include copycats, which impersonate popular programs in hopes of getting users to download them, ones with inappropriate content such as pornography, and PHAs (potentially harmful applications). Downloaders, spyware, backdoors, phishing and ransomware apps are among the types Google classifies as PHAs.

While Google says PHAs represent a small percentage of the bad apps it removes from the store, some still get through.

In August, Google chucked a few hundred apps from from Play after it emerged they had been compromised by malware associated with the WireX botnet and affected devices were being used in DDoS attacks.

And last month, Check Point researchers revealed that Google removed more than 20 Android utility applications, such as flashlights and one for recording phone calls, from the store after the company alerted it to their presence. The apps loaded malware onto users’ devices that generated illegal ad revenue by forcing them click on ads before taking actions.

The app makers may have been able to get around Google’s Play Protect–which continuously scans existing and new apps for malware–by using transparent permissions but then overriding the user’s decisions once the app was installed, Check Point said.

“Malware authors have a strong economic incentive to get into Google Play and hence they will always evolve their apps to try to evade detection,” Lookout’s Blaich said. The massive number of malicious apps Google has managed to stop is at least in part due to many attempts by the same actors, he added: “By constantly probing the defenses malware authors are bound to be successful once in a while.”

This post was updated at 8:39 EDT on 2/7/18 to include comments from Lookout researcher Andrew Blaich.

Suggested articles