Google will pay hackers to discover bugs in apps with over 100m installs

Google will pay hackers to discover bugs in apps with over 100m installs
Ryan is a senior editor at TechForge Media with over a decade of experience covering the latest technology and interviewing leading industry figures. He can often be sighted at tech conferences with a strong coffee in one hand and a laptop in the other. If it's geeky, he’s probably into it. Find him on Twitter (@Gadget_Ry) or Mastodon (

Google has announced changes to its bounty program in a bid to tackle vulnerabilities found in popular Android apps.

Just this week, CamScanner, an app with over 100 million installs, was removed from the Play Store after it was caught spreading malware.

Discovered by Kaspersky researchers, CamScanner's recent versions shipped with the malicious Trojan Dropper module which extracted and ran another malicious module from an encrypted file that is found in the app's resources.

CamScanner is far from the only example of this happening and so Google is taking increased steps to protect Android users.

Whereas previously the Google Play Security Reward Program (GPSRP) only provided monetary rewards for apps developed by Google, the initiative has now been expanded to all apps over 100 million installs.

In a post published by Google engineers Patrick Mutchler, Sebastian Porst, and Adam Bacchus, they wrote:

"We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs.

These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program."

Google will coordinate between the security researcher and the affected app’s developer to ensure the vulnerability is fixed in a safe and responsible manner.

There are three types of vulnerabilities currently eligible for a GPSRP payout, these are:

  • Remote code execution bugs ($20,000)

  • Theft of insecure private data ($3,000)

  • Access to protected app components ($3,000)

Where a popular app developer already has its own bounty program, security researchers will be able to collect a reward both from Google and the app’s developer. To date, GPSRP itself has paid out over $265,000 in bounties.

The new rewards should help to greatly boost the security of Android while incentivising researchers to do the right thing if a vulnerability has been discovered.

 Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located 5G ExpoIoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *