Six months ago, Google offered to pay US$200,000 to any researcher who could remotely hack into an Android device by knowing only the victim's phone number and email address. No one stepped up to the challenge.
While that might sound like good news and a testament to the mobile operating system's strong security, that's likely not the reason why the company's Project Zero Prize contest attracted so little interest. From the start, people pointed out that $200,000 was too low a prize for a remote exploit chain that wouldn't rely on user interaction.
"If one could do this, the exploit could be sold to other companies or entities for a much higher price," one user responded to the original contest announcement in September.
"Many buyers out there could pay more than this price; 200k not worth for finding needle under haystack," said another.
Google was forced to acknowledge this, noting in a blog post this week that "the prize amount might have been too low considering the type of bugs required to win this contest." Other reasons that might have led to the lack of interest, according to the company's security team, might be the high complexity of such exploits and the existence of competing contests where the rules were less strict.
In order to gain root or kernel privileges on Android and fully compromise a device, an attacker would have to chain multiple vulnerabilities together. At the very least, they would need a flaw that would allow them to remotely execute code on the device, for example within the context of an application, and then a privilege escalation vulnerability to escape the application sandbox.
Judging by Android's monthly security bulletins, there's no shortage of privilege escalation vulnerabilities. However, Google wanted for exploits submitted as part of this contest to not rely on any form of user interaction. This means the attacks should have worked without users clicking on malicious links, visiting rogue websites, receiving and opening files, and so on.
This rule significantly restricted the entry points that researchers could use to attack a device. The first vulnerability in the chain would have had to be located in the operating system's built-in messaging functions like SMS or MMS, or in the baseband firmware -- the low-level software that controls the phone's modem and which can be attacked over the cellular network.
One vulnerability that would have met these criteria was discovered in 2015 in a core Android media processing library called Stagefright, with researchers from mobile security firm Zimperium finding the vulnerability. The flaw, which triggered a large coordinated Android patching effort at the time, could have been exploited by simply placing a specially crafted media file anywhere on the device's storage.
Sign up for Computerworld eNewsletters.