Google has rewarded $112,500 (over Rs. 72 Lakh) to a security researcher for finding and reporting a serious security flaw in Google Pixel smartphones.
Security researcher Guang Gong (@oldfresher), from Alpha Team, Qihoo 360 Technology, reported a working remote exploit chain back in August 2017 through Android Security Rewards (ASR) programme. She was first awarded $105,000 that became the highest reward in the history of the ASR program. She also received $7500 from Chrome Rewards program.
Google resolved the bug as a part of the December 2017 monthly security update. Devices with security patch level of 2017-12-05 or later are protected.
The exploit chain includes CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that allows an attacker to get remote code execution in sandboxed Chrome render process. The second bug CVE-2017-14904 was found in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, the exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.
Clicking on such such malicious URLs through Google devices will lead to the download of additional malware.
Through Android Security Rewards program, Google recognizes the contributions of security researchers working on Android’s security features, Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C smartphones are covered under the same program.
It is also worth to note that Google has already paid more than $1.5 million to security researchers through the ASR program.
