Tech giant Google has paid out a record $112,500 to Qihoo 360's Guang Gong, the highest amount ever paid to an individual in the Android Security Rewards program, for his discovery of a critical remote exploit chain that affected Google Pixel devices. Gong's payout was in two parts; 105,000 of it came from the Android Security Rewards program, while $7,500 of it came from the Chrome Rewards program. The exploit found by Gong, with some help from the Alpha Team that he works with at Qihoo, is the first one of its kind that has been found since the Android Security Rewards program started back in 2015. The exploit chain in question was actually submitted in time to be included in the December 5 Android Security Bulletin, which means that any devices with that patch level or newer should be safe. That being the case, Google can now release the exploit's details to the public with some expectation of user safety.
This particular exploit chain is unique in that it works across two entirely different types of programs. One exploit, termed CVE-2017-5116, can get remote execution within a sandbox that Chrome creates for running web apps. It's important to note that this exploit did not require users to explicitly run it, only to access a compromised HTML web page. On its own, it would be vastly less potentially harmful. The trouble with this exploit comes when it's used with a version of Chrome running on Android. Then, exploit CVE-2017-14904 kicks in. This one takes advantage of a security hole in the libgralloc module, which is usually supposed to allow Android apps to reuse code and assets after they've been used once and taken out of immediate usage allocations. Together, these two bugs could allow an attacker to execute whatever code they wish on an affected device.
This bug involved a few different layers in both the app and operating system that it exploited, making it one of the more complicated vulnerabilities out there as far as discovery and patching. Google's internal team had not discovered the flaw, and likely would not have, forced to work on their own. Things like this are exactly why Google introduced programs to pay security researchers for helping to debug its products.