Pwn2Own Chrome gets no takers; Android security gets taken

Trojanized security update undercuts Google's whole security approach


Kind of a good news/bad news day for Google and Android fans.

First, the extra $10,000 in prize money Google put up to anyone who could crack Chrome at the annual Pwn2Own contest yesterday stayed right where it was -- stuck between the seat cushions in Larry Page'sprivate plane.

No one cracked it, the news isn't as good as it sounds. Of the two teams that signed up to have a go at Chrome, one didn't show up and the other decided to focus on a BlackBerry vulnerability it particularly liked for a later cracking event.

Safari and Internet Explorer, on the other hand, went down to their first challengers.

The Pwn2Own contest isn't a hacker melee, like most of the contests at conferences like Black Hat.

Rather than replicating the Internet by sic'ing everyone on the same target at once, Pwn2Own requires teams to sign up ahead of time and "freezes" the code to be cracked two weeks ahead of time so vendors can't slip in patches at the last second to foil impending pwnership.

HP's Tipping Point security unit sponsors the contest and puts up $10,000 prizes for each successful Pwner; Google added an additional $10K as incentive.


Maybe it should do the same for Android, which has not only been getting hammered by malware and crackers lately.


If you want to tell a really good lie, start with the truth and change it a little to do what you want.

That, at least, was the approach taken by malware authors who put out what may be the cleverest Android malware attack so far -- one that appears to come from Google to make Android more secure.

It's a faked version of a real anti-malware release from Google called the "Android Market Security Tool" that is designed to fix changes caused by the Android.Rootcager virus.

According to Symantec, which discovered it on an unregulated Chinese software site, the "trojanized" version of the tool uses the same name as the original, installs itself, and sends SMS messages to a command-and-control server at this address: hxxp://

Join us:






Answers - Powered by ITworld

Ask a Question