ESET researchers detail how the operators of the Stantinko botnet have expanded their toolset with a new means of profiting from computers under their control

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device

The post Smartwatch exposes locations and other data on thousands of children appeared first on WeLiveSecurity

Black Friday and Cyber Monday are just around the corner and scammers are gearing up to flood you with bogus offers

The post 5 scams to watch out for this shopping season appeared first on WeLiveSecurity

UPbit has announced that, as a precaution, all transactions will remain suspended for at least two weeks

The post Cryptocurrency exchange loses US$50 million in apparent hack appeared first on WeLiveSecurity

ESET researchers have discovered that the criminals behind the Stantinko botnet are distributing a cryptomining module to the computers they control

The post Stantinko botnet adds cryptomining to its pool of criminal activities appeared first on WeLiveSecurity

How the field of play has changed and why endpoint protection often comes down to doing the basics, even in the face of increasingly complex threats

The post CyberwarCon – the future of nation‑state nastiness appeared first on WeLiveSecurity

ESET researchers publish their findings on Mispadu, a banking trojan targeting Brazil and Mexico, and on DePriMon, a downloader with a unique installation technique

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

Experts weigh in on whether schools should teach kids the skills they need to safely reap the benefits of the online world

The post Should cybersecurity be taught in schools? appeared first on WeLiveSecurity

The Android Security Rewards (ASR) program was created in 2015 to reward researchers who find and report security issues to help keep the Android ecosystem safe. Over the past 4 years, we have awarded over 1,800 reports, and paid out over four million dollars.

Today, we’re expanding the program and increasing reward amounts. We are introducing a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. Additionally, we will be launching a specific program offering a 50% bonus for exploits found on specific developer preview versions of Android, meaning our top prize is now $1.5 million.

As mentioned in a previous blog post, in 2019 Gartner rated the Pixel 3 with Titan M as having the most “strong” ratings in the built-in security section out of all devices evaluated. This is why we’ve created a dedicated prize to reward researchers for exploits found to circumvent the secure elements protections.

In addition to exploits involving Pixel Titan M, we have added other categories of exploits to the rewards program, such as those involving data exfiltration and lockscreen bypass. These rewards go up to $500,000 depending on the exploit category. For full details, please refer to the Android Security Rewards Program Rules page.

Now that we’ve covered some of what’s new, let’s take a look back at some milestones from this year. Here are some highlights from 2019:

  • Total payouts in the last 12 months have been over $1.5 million.
  • Over 100 participating researchers have received an average reward amount of over $3,800 per finding (46% increase from last year). On average, this means we paid out over $15,000 (20% increase from last year) per researcher!
  • The top reward paid out in 2019 was $161,337.

Top Payout

The highest reward paid out to a member of the research community was for a report from Guang Gong (@oldfresher) of Alpha Lab, Qihoo 360 Technology Co. Ltd. This report detailed the first reported 1-click remote code execution exploit chain on the Pixel 3 device. Guang Gong was awarded $161,337 from the Android Security Rewards program and $40,000 by Chrome Rewards program for a total of $201,337. The $201,337 combined reward is also the highest reward for a single exploit chain across all Google VRP programs. The Chrome vulnerabilities leveraged in this report were fixed in Chrome 77.0.3865.75 and released in September, protecting users against this exploit chain.

We’d like to thank all of our researchers for contributing to the security of the Android ecosystem. If you’re interested in becoming a researcher, check out our Bughunter University for information on how to get started.

Starting today November 21, 2019 the new rewards take effect. Any reports that were submitted before November 21, 2019 will be rewarded based on the previously existing rewards table.

Happy bug hunting!

ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique

The post Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon appeared first on WeLiveSecurity