Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

No Prizes Awarded in Google’s Android Hacking Contest

Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.

Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.

In September, Google announced the start of a six-month Android hacking contest that invited researchers to submit serious vulnerabilities and exploit chains. The first winning entry was offered $200,000, and the second would have received $100,000. Other entries were promised at least $50,000.

While some research teams and individuals informed the company of their intention to take part in the contest, ultimately, no one submitted any valid bugs, said Google Project Zero’s Natalie Silvanovich. Some vulnerability reports were submitted, but they were not eligible for a reward under the rules of the Project Zero Prize.

Google believes three main factors led to the lack of entries. One of them was the level of difficulty – hackers were required to find a full exploit chain that allowed remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number. The targeted user could only open an email in Gmail or an SMS in Messenger.

Project Zero Prize participants were encouraged to submit partial exploits during the contest as the rules only allowed the first submitter to use a certain vulnerability during the contest.

“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common,” Silvanovich explained. “Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”

The tech giant also believes the prizes offered in the contest may have been too small for the types of vulnerabilities that were required. For example, zero-day acquisition firm Zerodium also offers up to $200,000 for Android rooting exploits and they can fetch much more on the black market.

While this contest was not a success, researchers do find plenty of vulnerabilities in Android. Google revealed recently that it paid out roughly $1 million for Android flaws reported last year through its vulnerability reward program.

Related: Zimperium Throws $1.5 Million at Mobile N-day Exploits

Related: Google Offers $31,337 for RCE Vulnerabilities

Related: Google Increases Android Bug Bounty Payouts

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.