Google will pay hackers
Just this week, CamScanner, an app with over 100 million installs, was removed from the Play Store after it was caught spreading malware.
Discovered by Kaspersky researchers, CamScanner's recent versions shipped with the malicious Trojan Dropper module which extracted and ran another malicious module from an encrypted file that is found in the app's resources.
CamScanner is far from the only example of this happening and so Google is taking increased steps to protect Android users.
Whereas previously the Google Play Security Reward Program (GPSRP) only provided monetary rewards for apps developed by Google, the initiative has now been expanded to all apps over 100 million installs.
In a post published by Google engineers Patrick Mutchler, Sebastian Porst, and Adam Bacchus, they wrote:
"We are increasing the scope of GPSRP to include all apps in Google Play with 100 million or more installs.
These apps are now eligible for rewards, even if the app developers don’t have their own vulnerability disclosure or bug bounty program."
Google will coordinate between the security researcher and the affected app’s developer to ensure the vulnerability is fixed in a safe and responsible manner.