Google expanded the scope of its Google Play Security Reward Program (GPSRP) to include all Android apps from the Google Play Store with over 100 million installs.

Security researchers who report vulnerabilities in one of these apps will be able to collect rewards from Google and one from the app’s developers if they also run their own bug bounty program on the HackerOne platform.

“This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps,” says Google.

Just last month, one popular app with over 100 million installs has been discovered by Kaspersky researchers to have been spreading malware and was immediately removed from the Google play store.

The app in question was CamScanner, it’s most recent version contained the malicious Trojan Dropper module which would extract and then ran another malicious module from an encrypted file found in the app’s resources.

With the avalanche of security vulnerabilities in popular Android apps—that have been installed on millions of smartphones—Google announced today that it’s making big changes to its Google Play Security Reward Program (GPSRP).

The most important change in GPSRP, Google’s security reward program for its Google Play Store, is that security researchers can now claim a reward for security vulnerabilities in applications that were not developed by the search giant.

“We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs,” in a post published by Google engineers Patrick Mutchler, Sebastian Porst (Google Play Protect) and Adam Bacchus who runs GPSRP. “These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program.”

Google will coordinate between the security researcher and the affected app’s developer to ensure the vulnerability is fixed in a safe and responsible manner.

There are three types of vulnerabilities currently eligible for a GPSRP payout, these are:

  • Remote code execution bugs ($20,000)
  • Theft of insecure private data ($3,000)
  • Access to protected app components ($3,000)

Where a popular app developer already has its own bounty program, security researchers will be able to collect a reward both from Google and the app’s developer. To date, GPSRP itself has paid out over $265,000 in bounties.

The new rewards should help to greatly boost the security of Android while incentivising researchers to do the right thing if a vulnerability has been discovered.

How will Google fix the security flaws

Whenever a security researcher will detect any vulnerability in an app, notifications will be sent to developers of the apps including the detailed insight on security flaw in their apps and guidelines on how to fix it. Google Play app developers use App Security Improvement (ASI) program as a service to improve its apps’ security and the alerts to app developers regarding the vulnerabilities will be sent via Play Console (a part of ASI program).

The ASI program has helped more than 300,000 developers to fix more than 1,000,000 apps on Google Play. This program helped more than 30,000 developers to fix 75,000 apps in 2018 alone. The apps found with flaws will not be distributed to users until the issue gets fixed.

Google rewarded security researchers with more than $265,000 in bounties through its GPSRP, with the increase in scope and reward; more than $75,500 were awarded in the bug bounties between the months of July and August.