Google wants you to hack Play Store apps, and it’s paying

Google’s had a rough summer, polluted-apps-wise.

Less than 24 hours after the launch of Android Oreo in August this year – the latest update to its mobile operating system – Google had to pull some 500 apps from its Play Store.

It’s not that all the apps themselves were malicious. Rather, they all used a software development kit (SDK) called Igexin that could, among other things, spy on victims by latching onto otherwise benign apps and downloading malicious plugins. But more to the point, a lot of people picked up a case of Yuck in Google Play. By the time Google scrubbed them, the apps had been downloaded more than 100 million times.

When SophosLabs dived into Google Play to see what sort of nastiness they could pull out, researchers found at least five types of Play Store malware in August 2017 alone, including spyware, banking bots and aggressive adware. Thousands of apps contained these malicious payloads and had infected millions of users.

Google Play isn’t the only Google marketplace that’s been having some trouble with dodgy third-party code.

Earlier in October, Google was also embarrassed when a fake adblocker – one that posed as the massively popular Adblock Plus – wound up sneaking past its security checks, weaseling its way into the the Chrome Web Store, Google’s site for third-party Chrome browser add-ons.

The “adblocker” turned out not to be an adblocker at all. Rather, ironically enough, it was adware. It served ads. To people who wanted to block ads.

You can imagine Google gnashing its Googley teeth over that one. At the time, it said it had plans to improve the vetting of its browser extensions:

This app was able to slip through the cracks, but we’ve identified the reason and are addressing it.

More broadly, we wanted to acknowledge that we know the issue spans beyond this single app. We can’t go into details publicly about solutions we are currently considering, but we wanted to let the community know that we are working on it…

Of course these problems aren’t unique to Google, they turn up everywhere vendors provide walled garden access to apps, plugins, add-ons or whatever else they call the bits of somebody else’s code you can use to extend their products.

In most cases the security of a walled garden beats not having a walled garden, but keeping the bad stuff out is an on-going and evolving struggle.

Google’s latest tactic to clean up Dodge is putting its money where its mouth is. It announced on Thursday that it’s launching a bug bounty program for qualifying vulnerabilities found in specific Play Store apps.

Google is partnering with HackerOne, a bug bounty program management website, to offer a bonus of $1000 for developers of popular Android apps who find qualifying vulnerabilities.

The Google Play Security Reward Program page on HackerOne shows which apps are eligible. At this point, the list of apps includes popular apps such as Alibaba, Dropbox, Snapchat and Tinder, for example. Google says that as more developers opt in, more apps will be listed.

In addition to third-party apps, Google is including its own apps.

Vineet Buch, director of product management for Google Play Apps and Games, said in an interview with Reuters that automatic software scans just can’t match a person’s ability to discover “a truly creative hack.”

Why should Google reach into its own pocket to pay for fixes to third-party apps? Because they’re mucking up the whole space, Buch said:

We don’t just care about our own apps, but rather the overall health of the ecosystem. It’s like offering a reward for a missing person even if you don’t know who the missing person is personally.