Industry News

Hack an Android phone remotely, and win $200,000

Imagine the damage that could be caused if a criminal was able to infect an Android smartphone remotely just by sending it a message, knowing nothing more than the device’s phone number or email address.

It’s easy to imagine how governments, intelligence agencies and organised criminal gangs would be prepared to pay a large amount of money for exclusive details of just such a critical flaw, using it to steal and spy on unsuspecting targets.

With that in mind, Google has announced a hacking contest offering a $200,000 first prize to vulnerability hunters around the world if they can find a way to remotely hack an Android device knowing nothing more than its phone number or email address.

Although $200,000 is being offered to the first winning entry, there are other prizes on offer (a second prize of $100,000, a third prize of at least $50,000 offered to additional winning entries.

(Bad news if you’re a bug hunting ninja – Google says you can only win one prize)

As exploit researcher Natalie Silvanovich explains, the competition hopes to improve the security of Android:

“There are often rumours of remote Android exploits, but it’s fairly rare to see one in action. We’re hoping this contest will improve the public body of knowledge on these types of exploits. Hopefully this will teach us what components these issues can exist in, how security mitigations are bypassed and other information that could help protect against these types of bugs.”

That is, of course, all marvellous.  But it’s not all good news.

Because even if seriously vulnerabilities like those described in the competition are discovered and patched, that is no guarantee that the vast majority of Android users will be protected against them.

The availability of Android security updates depends upon the assistance and goodwill of three parties: Google itself, your device’s manufacturer and your phone carrier.  Even if you are desperate to upgrade the version of Android on your device to take advantage of the latest security patches, that decision is taken out of your hands and you can easily find yourself stranded on an out-of-date device without an easy update path.

I know it’s not always technically possible to deliver the latest and greatest version of Android to older devices, but more companies need to follow the example set by Google and Samsung in creating an easier path for updates to fix critical, newly-found vulnerabilities.

Google’s competition will run for six months, with exploits that successfully target Android Nougat on Google Nexus 5X and 6P devices eligible for entry.

Google has detailed the full rules of the competition, and how to enter, here.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.