Like super-powered individuals, hackers can use their powers for good, or for evil. Google has called upon the former group for an extremely important bit of research: to see if there’s an exploit that can compromise a wide variety of Android phones remotely, with no information provided about the target devices except phone numbers or Gmail addresses.
Google doesn't expect hackers to give up this information out of the kindness of their hearts. For the next six months, the first person to find such a flaw will get $200,000, while the second will get $100,000.
Google's Project Zero bug-finding team posted information about the contest, called the Project Zero Prize, this week on its blog. As it stands, Google already offers rewards for independent researchers who find bugs in its systems, but a project this wide in scope requires a reward to match. At present, even the most extreme Google bug bounty tops out at less than $10,000.
"There are often rumors of remote Android exploits, but it's fairly rare to see one in action," Project Zero researcher Natalie Silvanovich wrote on the blog. "Hopefully, this will teach us what components these issues can exist in, how security migrations are bypassed and other information that could help protect against these types of bugs."
Since there's a lot of money involved, there are a few catches. First off, Google encourages researchers to submit each bug they find as quickly as possible, rather than waiting until many new bugs can be strung together into an exploit chain. Not only will each bug be eligible for the regular bug-bounty program reward, but Google will allow only the person who first posted a bug to use it as part of a complete exploit later on.
(The post isn't clear about what will happen if two people come up with an idea independently, but this may be more to discourage piggybacking than coincidental convergence.)
For starters, the exploit must work on Google's own flagship Nexus 6P and Nexus 5X phones, and they must be running any Android Nougat (7.x) build. The contest requires users to begin with nothing but the phone number and/or email address for a specific phone, and then compromise that phone without ever having physical access to it. How researchers gain access to passwords and remote control over a phone will be a topic of some interest when the contest is over.
While the first and second person to find such a bug will receive $200,000 and $100,000, respectively, there’s another $50,000 to be distributed among other researchers who find clever bugs.
Cunning researchers will be quick to point out that to the right party, a universal Android remote exploit could be worth much more than $200,000. On the other hand, that’s all the more reason why good-hearted security researchers should get cracking ASAP. Better that they find it and allow Google to patch it than to wait until it falls into a cybercriminal's hands.