Google’s penchant for publicly calling out the security failures of other vendors has recently come back to haunt it as two IT industry rivals have sounded the alarm about two of the search giant’s Online services.
This week Symantec and Microsoft—companies that Google has previously cited for security vulnerabilities—issued their own disclosures to make about problems they discovered on Google’s products and services.
In a blog Oct. 18 Symantec said it had found at least eight Android applications on Google Play that were infected with a malware dubbed Sockbot that is designed to add compromised systems to a botnet.
The applications purported to help users modify the appearance of characters in the Minecraft Pocket Edition video game. But when users downloaded the apps, it would silently connect to a remote malicious server and add the device to a botnet that among other things could be used to launch distributed denial of service attacks, the security vendor said.
Between 600,000 and 2.6 million users primarily in the United States and to a lesser extent in Russia, Germany, Brazil and Ukraine may have downloaded the malware on their devices, the security vendor said. Google has removed the applications after Symantec informed the company about the issue.
The disclosure is the latest in a string of similar warnings that multiple security vendors have issued just this year about malware on Google’s supposedly secure mobile app store.
In September, Check Point and Trend Micro issued separate advisories about finding dozens of Android applications on Google Play that were infected with different kinds of malware. Zscaler and PhishLabs made similar disclosures in April, Palo Alto Networks, did the same in March and Check Point in May.
Google has touted several measures it has implemented to detect and block malicious applications on Google Play and to prevent them from running on Android devices. But the continuing ability of threat actors to get their malware on Google’s app store and infect millions of Android devices suggests the company’s work in this regard is still in progress.
In what appears to be a new attempt to address the issue, Google on Oct. 19 announced a bug bounty program that will reward selected security researchers up to $1,000 for finding certain types of vulnerabilities in Android apps.
The “Google Play Security Reward Program” is designed to motivate security research into popular Android apps on Google Play, the company announced Thursday. The developers of popular Android applications on Google Play are being asked to opt-in to the program and to allow security researchers to probe their software for certain vulnerabilities. Bug bounty coordinating firm Hacker One will manage the new program.
Meanwhile, in a separate and lengthy post on the Windows Security Blog Oct. 18, a member of Microsoft’s security team described its discovery of a remote code execution vulnerability in Chrome and chided Google’s handling of the disclosure. “We responsibly disclosed the vulnerability that we discovered along with a reliable [Remote Code Execution] exploit to Google on September 14, 2017,” wrote Jordan Rabet, a member of the Microsoft security team.
A fix for the problem was available in a beta version of Chrome within four days. But then Google made the source code for the fix publicly available on the GitHub repository even before it had been pushed to Chrome users. “In this specific case, the stable channel of Chrome remained vulnerable for nearly a month after that commit was pushed to [GitHub]. That is more than enough time for an attacker to exploit it,” Rabet said.
Microsoft and Google have had at least one previous public run-in over bug disclosures. In October 2016 Google security researchers publicly disclosed the details of a zero-day bug in Windows before Microsoft had released a patch for it.
At the time, Google’s security team said it had decided to do so—after giving Microsoft seven days to fix the issue—because the bug was already being actively exploited. Microsoft had called that decision ‘disappointing’ and criticized Google for not following responsible disclosure policies.
In an apparent reference to that incident Rabet this week noted: ” Our strategies may differ, but we believe in collaborating across the security industry in order to help protect customers.”