Google will start paying hackers up to $200,000 for reporting vulnerabilities in Android — a four-fold increase over the current top payout. The program has been around for two years and Google says that even though they’ve already rewarded security researchers over $1.5 million who’ve submitted hundreds of qualifying reports, nobody has ever claimed the top reward for an exploit.
Google is raising the stakes in hopes that more security researchers will help them keep Android as secure as possible. The company is making two bug bounty increases: The reward for a remote kernel exploit, which could give unauthorized users the ability to hack and gain control of Android devices or steal an individual’s personal data, has quintupled from $30,000 to $150,000. The reward for a remote exploit chain or exploit compromising TrustZone or Verified Boot, which ensures security software, biometric data, fingerprint scans and system settings are secure, has quadrupled to $200,000.
In addition to increasing rewards, Google says it’s working closely with device manufacturers to make sure bug fixes actually reach users’ devices when they rollout. The company says over 100 device models have a majority of their deployed devices running a security update from the last 90 days.
There are over 2 billion monthly active Android devices out there so that’s a lot of surface to cover. The update comes just days after security research firm CheckPoint disclosed that a malware called “Judy” was found in over 41 apps available at the Play Store, some of them available since 2016, undetected by Google. The malware generated fraudulent ad revenue for its creators.