We decided to work together on a single problem for a week, and see how much progress we could make on the Samsung device. To get our competitive spirits going, we decided to have a contest between the North American and European members of Project Zero, with a few extra participants from other
Google security teams to make the teams even, giving a total of five participants on each side.
Each team worked on three challenges, which we feel are representative of the security boundaries of
Android that are typically attacked. They could also be considered components of an exploit chain that escalates to kernel privileges from a remote or local starting point.
Gain remote access to contacts, photos and messages. More points were given for attacks that don’t require user interaction, and required fewer device identifiers.
Gain access to contacts, photos, geolocation, etc. from an application installed from Play with no permissions
Persist code execution across a device wipe, using the access gained in parts 1 or 2
A week later, we had the results! A total of 11 issues were found in the Samsung device.
