Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Launches Android Hacking Contest

Google announced on Tuesday the launch of a new hacking contest that invites researchers to find serious vulnerabilities and exploit chains in the Android operating system. The search giant is prepared to pay hundreds of thousands of dollars to the winners.

Google announced on Tuesday the launch of a new hacking contest that invites researchers to find serious vulnerabilities and exploit chains in the Android operating system. The search giant is prepared to pay hundreds of thousands of dollars to the winners.

The contest, named “The Project Zero Prize,” will run until March 14, 2017. Participants must find a full exploit chain that allows them to achieve remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number – the maximum allowed user interaction is opening an email in Gmail or an SMS in Messenger.

The first winning entry will be awarded $200,000, and the second will get $100,000. All the other winning entries will receive at least $50,000. Winners will also be invited to write a short technical report describing the vulnerabilities on the Project Zero blog.

While the Project Zero Prize competition takes place over the course of six months, hackers must not hoard the flaws they find. Each bug in the chain must be submitted to the Android issue tracker as soon as possible to ensure that it’s not reported by someone else first, as only the first person to file a vulnerability can use it as part of their exploit.

“Our main motivation is to gain information about how these bugs and exploits work,” explained Natalie Silvanovich of Google’s Project Zero team. “There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”

Another reason for running the contest, Silvanovich said, is to fix potentially dangerous Android vulnerabilities so that they don’t impact users. The search giant also hopes to gather some statistical data on the availability of these exploits.

Entries that don’t win any prizes as part of the competition can still qualify for a reward in the regular Android bug bounty program. In June, after paying out more than half a million dollars, Google announced that it increased Android bug bounty payouts to a maximum of $50,000 per submission.

Related: Android 7.0 Packs Re-Architected Mediaserver, Other Security Enhancements

Related: Overwhelming Majority of Android Devices Don’t Have Latest Security Patches

Related: Critical Vulnerabilities Patched in Android Mediaserver, Qualcomm Drivers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.