The Android Security Rewards (ASR) program was created by Google in 2015 to reward researchers who submit Android security vulnerabilities to the company. The monetary rewards are based on the severity of each finding, which must be related to the latest available Android versions for Pixel phones and tablets.
Back in June 2017, the program received a boost in some of its rewards because, according to Google, “every Android release includes more security protections and no researcher has claimed the top reward for an exploit chains in 2 years”. But last Friday the company finally announced the first big reward since those changes for a working Android remote exploit chain.
The $112,500 bug bounty, which was announced by Google in a blog post, was awarded to Guang Gong, a Chinese researcher who works at Qihoo 360 Technology, a Chinese security firm. The reward was due to the submission of two bugs back in August 2017: CVE-2017-5116, which allows the remote execution of arbitrary code via crafted HTML inside Chrome’s sandbox, and CVE-2017-14904, which allows an escape from Chrome’s sandbox.
If combined, those vulnerabilities allow the remote injection of arbitrary code into Pixel’s system_server process. And to make matters even worse, an attacker would only need the user to access a maliciously crafted URL through Chrome in order to perform the attack.
As pointed out by Google, Gong received $105,000 from the ASR program, which is the highest reward ever paid by it, and an additional $7,500 from the Chrome Rewards program, launched back in 2010 to reward those who submit Chrome and Chrome OS security vulnerabilities to the company.
Of course, Google has only publicly released the details on both attacks after patching them in the December 2017 security update. If you are interested in the technical details, follow to the announcement blog post, where Guang Gong wrote a guest article explaining the exploit chain.