Google Awards Record $112,500 Bounty for Android Exploit Chain

Prolific bug hunter Guang Gong has earned the highest-ever payout for a vulnerability in the history of Google’s Android Security Rewards program, which began in 2015.

He earned a combined $112,500 for the disclosure of an Android exploit chain impacting Google’s Pixel handset that could allow an attacker to inject arbitrary code via a malicious URL accessed via the phone’s Chrome browser.

Gong, a researcher with Qihoo 360’s Alpha Team, earned $105,000 via Google’s Android Security Rewards program and a bonus $7,500 through the Chrome Rewards program. Google said the issues were patched as part of its December 2017 monthly security update.

The exploit chain included CVE-2017-5116 and CVE-2017-14904, both rated as “high” severity bugs by the Common Vulnerability Scoring System.

The first vulnerability (CVE-2017-5116) is a V8 engine type confusion bug that allows “a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML,” according to the MITRE description. The second flaw (CVE-2017-14904) is “a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox,” according to a description in an Android Developers Blog.

“Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome,” Google wrote.

> Gong Guang from 360 Alpha Team succeeded in exploiting Google Pixel in #PwnFest2016 #POC2016. pic.twitter.com/a2jnJDR8w6
>
> — vangelis (@vangelis_at_POC) November 11, 2016

For years Gong, and Alpha Team, have been successful bug hunters discovering copious vulnerabilities in the Android ecosystem. At the 2016 PwnFest hacker contest Gong was awarded $120,000 in prize money by event sponsors for exploiting a zero-day vulnerability in Google’s Pixel phone in less than 60 seconds.

The largest-ever payout by the Android Security Rewards program comes on the heels of a decision by Google to increase the maximum bounty payouts for kernel exploits from $30,000 to $150,000 remote kernel exploit and $50,000 to $200,000 for a remote exploit chain or exploit leading to TrustZone or Verified Boot compromise.