Google awarded a record $112,500 bug bounty to a Chinese security researcher after he submitted the first working Android remote exploit chain since the company’s Android Security Rewards program raised top payout levels in 2017.
Guang Gong, a researcher who works for billion-dollar Chinese security firm Qihoo 360 Technology, submitted the bugs in August. The bugs, CVE-2017-5116 and CVE-2017-14904, were resolved in a December 2017 security update. Google announced the full payout this week.
The exploit chain goes after the Pixel, Google’s own flagship mobile device. It’s widely touted as the most secure Android phone on the market.
The first vulnerability allows a remote attacker to execute arbitrary code, via crafted HTML, inside the Chrome browser’s sandbox. The second is a bug that allows an escape from Chrome’s sandbox. Combined, the vulnerabilities allow attackers to remotely inject arbitrary code into the Pixel’s system_server process if the phone’s user accesses certain malicious URLs in Chrome.
Gong and the Qihoo 360 team know a thing or two about high-profile mobile exploits. At Pwn2Own 2016, a prominent hacking contest, Gong’s team cracked the Google Pixel in under 60 seconds to gain remote code execution and the $120,000 cash prize. Android wasn’t the only technology in the crosshairs at that event and Qihoo 360’s team ended up with $520,000 in total prizes when all was said and done.
A full technical writeup is available here.