This isn't really the main focus of the article, but I find this really interesting. There are teams of full-time Chinese researchers looking for and reporting vulnerabilities in Android? Are they doing this to win the bug bounties? If so, it sounds like Google's bug bounty program is really paying off.
My guess is they're either working for the bug bounties, or they're employed by a company that uses Android extensively and wants to make sure its secure.
Being China, its also possible that the Chinese government indirectly or directly sponsors this research, since Android is by far the most common smartphone OS there.
edit: C0RE Team [1], who also has many contributions seems to be an independent research company, who may be doing it just for the bounties.
[0] https://source.android.com/security/overview/acknowledgement...
sometimes infosec seems the most dreadful field.
https://www.reuters.com/article/us-bitfinex-hacked-hongkong/...
If you're a world class exploit developer working full time, expect earn a few hundred million $ per year.
Of course there exists a whole industry full of people that'll offer you silly 6 digit salaries.
https://www.bloomberg.com/gadfly/articles/2017-02-06/google-...
This has created a strange ecosystem for app stores in China, which depend on vulnerability exploitation in varying degrees for installation privileges.
Maybe some of the work is dual use, but the primary motivation for funding this kind of vuln discovery and exploit development seems to have been App Store ecosystem development in China.
Can you explain that a bit more? 3rd party app stores are legitimate on Android, so why would they depend on vulnerability exploitation?
I hope you are being sarcastic; guess again!
It draws public attention to an issue better than any CVE-2017-XXXXX would do.
No, keep it up. Dictionary words are far easier to remember than specific numbers.
I can't speak for what the value-add is there, but I don't see any harm from it.
The exploits i'd bet are still in the human written weird stuff and not unfolded loops and boring setters/getters.
I expect to see drastically more work into IoT devices once tooling and knowledge sharing gets better. A lot of the articles right now begin and end with binwalk. Great tool but that's just the start.
The only hard part of embedded work is that it's really, really difficult to collaborate with anyone as VR is always filled with incredible drama and the talent pool of individuals willing to work on this (for free) with the prerequisite knowledge is almost non-existent.
Good luck. And thanks for not coming out with another media campaign first and interesting research second.
