Google has awarded a total of $112,500 to a security researcher for reporting an android exploit chain which could be used to compromise Pixel mobile devices.
The tech giant revealed the technical details of the exploit chain on Wednesday.
In August 2017, Guang Gong from Alpha Team, Qihoo 360 Technology submitted an exploit chain through the Android Security Rewards (ASR) program.
The first vulnerability is a V8 engine type confusion bug which can be utilized for remote code execution in sandboxed Chrome render process environments.
The second security flaw is found in Android’s libgralloc module and can be used to escape from Chrome’s sandbox due to a map and unmap mismatch, which can, in turn, prompt a Use-After-Unmap error.
When combined, the vulnerabilities can be used by attackers to remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.
If a user of a Pixel or other Android-based smartphone clicks on such a URL, their devices can be compromised, potentially leading to the download and execution of additional malware payloads, hijacking, and surveillance.
Google says the find is the first working remote exploit chain submitted through the program to date.
Gong was awarded $105,000 for his report, with an additional bonus of $7500 through the Chrome Rewards program.
The vulnerability chain was resolved as part of Google’s December security update, which patched a total of 42 bugs.
In June 2017, Google increased the ASR payout rewards for remote exploit chain or exploits leading to TrustZone or Verified Boot compromise from $50,000 to $200,000.
The scheme has awarded researchers over $1.5 million to date, with the top research team earning $300,000 for 118 vulnerability reports.