Google has awarded $112,500 (Rs 7,169,300 approximately) to a security researcher for reporting an exploit, which could be used to compromise its Pixel smartphones. This started back in August 2017, when Guang Gong from Alpha Team, Qihoo 360 Technology submitted an exploit chain through the Android Security Rewards (ASR) program. The exploit chain covers two bugs – CVE-2017-5116 and CVE-2017-14904.
The first vulnerability is a V8 engine bug, which can be used for remote code execution in sandboxed Chrome render process environments. The second security flaw is found in Android’s libgralloc module, and can be used to escape from Chrome’s sandbox.
Google says this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome. The company said that clicking on such URLs through Google devices will potentially lead to the download of additional malware.
The company through the Android Security Rewards program recognizes the contributions of security researchers working on Android’s security features. As of October 2017, the smartphones covered under the program include Google Pixel 2, Google Pixel and Pixel XL, and Google Pixel C. The vulnerability chain was resolved as part of Google’s December security update, which patched a total of 42 bugs.
Till date, Google has paid researchers more than $1.5 million (Rs 95,647,500 approximately) through the ASR program.