On paper, Moto’s return to the flagship phone world with the $1,000 Edge+ seems like it’s got all the right stuff. For $200 less than a Galaxy S20+, you’re practically getting the same assortment of specs including a 6.7-inch OLED screen, Snapdragon 865 chip, 12GB of RAM (which is 4GB more than what you get from…
Security researchers are sounding the alarm over a newly discovered Android malware that targets banking apps and cryptocurrency wallets.
The malware, which researchers at security firm Cybereason recently discovered and called EventBot, masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android — which abuses Android’s in-built accessibility features to obtain deep access to the device’s operating system.
Once installed — either by an unsuspecting user or by a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps — including PayPal, Coinbase, CapitalOne and HSBC — and intercepts and two-factor authentication text message codes.
With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.
“The developer behind Eventbot has invested a lot of time and resources into creating the code, and the level of sophistication and capabilities is really high,” Assaf Dahan, head of threat research at Cybereason, told TechCrunch.
The malware quietly records every tap and key press, and can read notifications from other installed apps, giving the hackers a window into what’s happening on a victim’s device.
Over time, the malware siphons off banking and cryptocurrency app passwords back to the hackers’ server.
The researchers said that EventBot remains a work in progress. Over a period of several weeks since its discovery in March, the researchers saw the malware iteratively update every few days to include new malicious features. At one point the malware’s creators improved the encryption scheme it uses to communicate with the hackers’ server, and included a new feature that can grab a user’s device lock code, likely to allow the malware to grant itself higher privileges to the victim’s device like payments and system settings.
But while the researchers are stumped as to who is behind the campaign, their research suggests the malware is brand new.
“Thus far, we haven’t observed clear cases of copy-paste or code reuse from other malware and it seems to have been written from scratch,” said Dahan.
Android malware is not new, but it’s on the rise. Hackers and malware operators have increasingly targeted mobile users because many device owners have their banking apps, social media, and other sensitive services on their device. Google has improved Android security in recent years by screening apps in its app store and proactively blocking third-party apps to cut down on malware — with mixed results. Many malicious apps have evaded Google’s detection.
Cybereason said it has not yet seen EventBot on Android’s app store or in active use in malware campaigns, limiting the exposure to potential victims — for now.
But the researchers said users should avoid untrusted apps from third-party sites and stores, many of which don’t screen their apps for malware.
TikTok, the widely popular video sharing app developed by one of the world’s most valued startups (ByteDance), continues to grow rapidly despite suspicion from the U.S. as more people look for ways to keep themselves entertained amid the coronavirus pandemic.
The global app and its Chinese version, called Douyin, have amassed over 2 billion downloads on Google Play Store and Apple’s App Store, mobile insight firm Sensor Tower said Wednesday.
TikTok is the first app after Facebook’s marquee app, WhatsApp, Instagram, and Messenger to break past the 2 billion downloads figure since January 1 of 2014, a Sensor Tower official told TechCrunch. (Sensor Tower began its app analysis on that date.)
A number of apps from Google, the developer of Android, including Gmail and YouTube have amassed over 5 billion downloads, but they ship pre-installed on most Android smartphones and tables.
TikTok’s 2 billion download milestone, a key metric to assuage an app’s growth, comes five months after it surpassed 1.5 billion downloads.
In the quarter that ended on March 31, TikTok was downloaded 315 million times, surpassing its previous best of 205.7 million downloads in Q4 2018. Facebook’s WhatsApp, the second most popular app by volume of downloads, amassed nearly 250 million downloads in Q1 this year, Sensor Tower told TechCrunch.
As the app gains popularity, it is also clocking more revenue. Users have spent about $456.7 million on TikTok to date, up from $175 million five months ago. Much of these spendings — about 72.3% — has happened in China. Users in the United States have spent about $86.5 million on the app, making the nation the second most important market for TikTok from the revenue standpoint.
Craig Chapple, a strategist at Sensor Tower, said that not all the downloads are organic as TikTok, which launched outside of China in 2017, has engaged in a “large user acquisition campaign.” But he attributed some of the surge in downloads to the COVID-19 outbreak that has driven more people than ever to look for new apps.
India, TikTok’s largest international market, accounts for the app’s 30.3% downloads, according to Sensor Tower. The app has been downloaded 611 million times in the world’s second largest internet market.
From a platform’s stand point, 75.5% of all of TikTok’s downloads have occurred through Google Play Store. But the vast majority of spendings has come from users on Apple’s ecosystem ($435.3 million of $456 million).
With much of the U.S. still under orders to shelter in place, there’s not much to do besides stay home and binge watch streaming video. Thankfully, for people who’ve been watching a lot of Netflix on their mobile Android device, Netflix has finally made it possible to remove shows from your Continue Watching row.
Apple and Google have released the very first version of their exposure notification API, which they previously called the contact tracing API. This is a developer-focused release, and is a seed of the API in development with the primary intent of collecting feedback from developers who will be using the API to create new contract tracing and notification apps on behalf of public health agencies.
Last week, Apple CEO Tim Cook told EU Commissioner Thierry Breton that the API would be arriving shortly, and this version is indeed now available – albeit to a specific and limited group that includes select developers working on behalf of public health authorities globally, according to the companies. This is a test release that’s intended to provide the opportunity for development and feedback in advance of the API’s public release in mid-May, at which time developers will be able to use the software feature on devices with publicly available apps released through the iOS and Google software stores, respectively.
Apple and Google say they will be providing additional details this coming Friday about the API and its release, including sample code to show how it operates in practice. Both are intent on providing updates to the documentation as they become available, and in adding access to new developers throughout testing, though this will be gated because the companies are limiting access to this API to authorized public health authorities only.
Already, Apple and Google have made available documents that describe the specification in detail on its respective developer websites, and it provided an update with improvements to the tech’s functioning, including in terms of its protection of user privacy, and the ease with which developers can deploy it within their apps, as discussed during a press call last week.
This update includes an added ability for health authorities to define and calcite an exposure risk level for individuals based on their own criteria, since that varies organization to organization. This will be variable based on approximate distance of an individual to a confirmed exposed COVID-19 patient, as well as the duration of that exposure. Developers can customize notification messaging based on their defined exposure levels to ensure alerts correspond correctly to calculated risk.
Apple and Google first announced the combined API and eventual system-level contact tracing feature on April 10, and intend to release the first version of the API publicly in mid-May, with the system-level integration to follow in the coming months. The tech is designed to be privacy-preserving, ensuring that contact IDs are rotating and randomized, and never tied to an individual’s specific identifying information.
The makers of the world’s most ethical smartphone, the Fairphone 3, have teamed up for a version of the device with even less big tech on board.
The Netherlands-based device maker has partnered with France’s /e/OS to offer a ‘de-Googled’ version of its latest handset, running an Android AOSP fork out of the box that’s itself built atop a fork of CyanogenMod (remember them?) — called LineageOS (via Engadget).
“The deGoogled Fairphone 3 is most likely the first privacy conscious and sustainable phone,” runs the blurb on /e/OS’ website. “It combines a phone that cares for people and planet and an OS and apps that care for your privacy.”
A pithy explainer of its “privacy by design ecosystem” — and the point of “Android without Google” — further notes: “We have removed many pieces of code that send your personal data to remote servers without your consent. We don’t scan your data in your phone or in your cloud space, and we don’t track your location hundred times a day or collect what you’re doing with your apps.”
When the Fairphone 3 launched last September it came with Android 9 preloaded. But the company touted a post-launch update that would make it easy for buyers to wipe Google services off their slate and install the Android Open Source Project, which it recommended for advanced users.
The new /e/OS flavor offers a third OS option.
Per Engadget, Fairphone said it polled members of its community asking which alternative OS to offer and /e/OS got more votes than a number of others. The company also highlighted /e/OS’ privacy by design as a factor in the choice, lauding how it shuts down “unwanted data flows”, meaning users have more control over what their phone is doing.
The e/OS flavor of the Fairphone 3 ships from May 6, priced at just under €480 — a €30 premium on the Googley flavor of Android you get on the standard Fairphone 3.
Existing owners of Fairphone’s third gen handset can manually install /e/OS gratis via an installer on its website.
When the Fairphone 3 launched last year the company told us only around 5% of Fairphone users opt to go full open source — which suggests the /e/OS Fairphone 3 will be a niche choice for even these discerning buyers.
A number of UK computer security and privacy experts have signed an open letter raising transparency and mission creep concerns about the national approach to develop a coronavirus contacts tracing app.
The letter, signed by around 150 academics, follows a similar letter earlier this month signed by around 300 academics from across the world, who urged caution over the use of such tech tools and called for governments that choose to deploy digital contacts tracing to use privacy-preserving techniques and systems.
“We urge that the health benefits of a digital solution be analysed in depth by specialists from all relevant academic disciplines, and sufficiently proven to be of value to justify the dangers involved,” the UK academics write now, directing their attention at NHSX, the digital arm of the National Health Service which has been working on building a digital contacts tracing app since early March.
“It has been reported that NHSX is discussing an approach which records centrally the de-anonymised ID of someone who is infected and also the IDs of all those with whom the infected person has been in contact. This facility would enable (via mission creep) a form of surveillance.”
Yesterday the NHSX’s CEO, Matthew Gould, was giving evidence to the UK parliament’s Science and Technology committee. He defended the approach it’s taking — claiming the forthcoming app uses only “a measure of centralization”, and arguing that it’s a “false dichotomy” to say decentralized is privacy secure and centralized isn’t.
He went on to describe a couple of scenarios he suggested show why centralizing the data is necessary in the NHSX’s view. But in the letter the UK academics cast doubt on the validity of the central claim, writing that “we have seen conflicting advice from different groups about how much data the public health teams need“.
“We hold that the usual data protection principles should apply: collect the minimum data necessary to achieve the objective of the application,” they continue. “We hold it is vital that if you are to build the necessary trust in the application the level of data being collected is justified publicly by the public health teams demonstrating why this is truly necessary rather than simply the easiest way, or a ‘nice to have’, given the dangers involved and invasive nature of the technology.”
Europe has seen fierce debate in recent weeks over the choice of app architecture for government-backed coronavirus contacts tracing apps — with different coalitions forming to back decentralized and centralized approaches and some governments pressuring Apple over backing the opposing horse with a cross-platform API for national coronavirus contacts tracing apps it’s developing with Android-maker Google.
Most of the national apps in the works in the region are being designed to use Bluetooth proximity as a proxy for calculating infection risk — with smartphone users’ devices swapping pseudonymized identifiers when near each other. However privacy experts are concerned that centralized stores of IDs risk creating systems of state surveillance as the data could be re-identified by the authority controlling the server.
Alternative decentralized systems have been proposed, using a p2p system with IDs stored locally. Infection risk is also calculated on device, with a relay server used only to push notifications out to devices — meaning social graph data is not systematically exposed.
Although this structure does require the IDs of people who have been confirmed infected to be broadcast to other devices — meaning there’s a potential for interception and re-identification attacks at a local level.
At this stage it’s fair to say that the momentum in Europe is behind decentralized approaches for the national contacts tracing apps. Notably Germany’s government switched from previously backing a centralized approach to decentralized earlier this week, joining a number of others (including Estonia, Spain and Switzerland) — which leaves France and the UK the highest profile backers of centralized systems for now.
France is also seeing expert debate over the issue. Earlier this week a number of French academics signed a letter raising concerns about both centralized and decentralized architectures — arguing that “there should be important evidence in order to justify the risks incurred” of using any such tracking tools.
In the UK, key concerns being attached to the NHSX app are not only the risk of social graph data being centralized and reidentified by the state — but also scope/function creep.
Gould said yesterday that the app will iterate, adding that future versions could ask people to voluntarily give up more data such as their location. And while the NHSX has said use of the app will be voluntary, if multiple functions get baked in that could raise questions over the quality of the consent and whether mission creep is being used as a lever to enforce public uptake.
Another concern is that a public facing branch of the domestic spy agency, GCHQ, has also been involved in advising on the app architecture. And yesterday Gould dodged the committee’s direct questions on whether the National Cyber Security Centre (NCSC) had been involved in the decision to select a centralized architecture.
There may be more concerns on that front, too. Today the HSJ reports that health secretary Matt Hancock recently granted new powers to the UK’s intelligence agencies which mean they can require the NHS to disclose any information that relates to “the security” of the health service’s networks and information systems during the pandemic.
Such links to database-loving spooks are unlikely to quell privacy fears.
There is also concern about how involved the UK’s data watchdog has been in the detail of the app’s design process. Last week the ICO’s executive director, Simon McDougall, was reported to have told a public forum he had not seen plans for the app, although the agency put out a statement on April 24 saying it was working with NHSX “to help them ensure a high level of transparency and governance”.
Yesterday Gould also told the committee the NHSX would publish data protection impact assessments (DPIAs) for each iteration of the app, though none has yet been published.
He also said the software would be “technically” ready to launch in a few weeks’ time — but could not confirm when the code would be published for external review.
In their letter, the UK academics call on NHSX to publish a DPIA for the app “immediately”, rather than dropping it right before deployment, to allow for public debate about the implications of its use and in order that that public scrutiny can take place of the claimed security and privacy safeguards.
The academics are also calling for the unit to publicly commit to no database or databases being created that would allow de-anonymization of users of the system (other than those self reporting as infected), and which could therefore allow the data to be used for constructing users’ social graphs.
They also urge the NHSX to set out details on how the app will be phased out after the pandemic has passed — in order “to prevent mission creep”.
Asked for a commitment on the database point, an NHSX spokesman told us that’s a question for the UK’s Department of Health and Social Care and/or the NCSC — which won’t salve any privacy concerns around the governments’ wider plans for app users’ data.
We also asked when the NHSX will be publishing a DPIA for the app. At the time of writing we were still waiting for a response.
You might not give much thought to the app that snaps all those photos on your phone, but you don’t have to stick with the tool Apple or Google gives you by default—there are some fantastic third-party camera apps out there to help take your mobile photography to the next level.
The coronavirus pandemic has sent record numbers of new users to video chat apps. Now, video messaging app Marco Polo aims to capitalize on the increases it’s also seeing to launch its new subscription business, Marco Polo Plus. The service delivers a handful of new features — including support for HD video, voice-only messaging options, custom emoji, expanded speed controls and more — for $5 per month with an annual subscription of $59.99.
On a monthly basis, the service costs $10 per month.
Marco Polo had already carved out its own space on the market before the coronavirus outbreak. Instead of focusing on live video calls or group video chats, Marco Polo focuses on asynchronous communication. That is, users leave a video message for friends and family, which the other party can watch at their convenience, then reply to.
This works particularly well for people who have different work schedules or those who are spread out among various timezones. It also works for adults who have less free time to chat than the teens who virtually “hang out” in group video chat apps, like Houseparty.
With the new Marco Polo Plus subscription, the company is offering an expanded feature set that will appeal to its most frequent users. However, it will remain an optional upgrade — free users will still be able to use Marco Polo as before.
Subscribers, meanwhile, will be able to message their friends and family in HD or have the option to respond using only their voice, for those times you’re not camera-ready.
The subscription will also expand its set of built-in reaction emoji, which today includes a smiley face, sad face, heart, prayer hands, and thumbs up — to now include support for adding any emoji from your keyboard.
In addition, subscribers will have more granular control over playback speed. While free users can choose to 2x their video messages, paying users will be able to access speed control options of anywhere between 1.5x and 3x speed.
They’ll also gain a time scrubber for more easily moving to different parts of the video and a scratchpad for personal notes. The latter is especially helpful for jotting down the different parts of the message you want to respond to — something that can be hard to remember after listening to a long video.
Subscribers will be able to share their $5 per month subscription in the form of “Plus Passes” you can dole out to friends and family, as well.
Like many apps in the space, Marco Polo has seen a sizable jump in usage due to the COVID-19 pandemic, it says.
In March 2020, Marco Polo saw a 16x increase in new sign-ups for its service and a 3x increase in activity versus the prior month. In one 24-hour period in April, Marco Polo even saw a record 20 million video messages shared in its app. And its social media campaign designed at reaching out to others, #PoloTogether, resulted in over 1 million check-ins.
According to data from Sensor Tower, Marco Polo has seen nearly 56 million lifetime installs across iOS and Android since January 2014. Publicly, Marco Polo says it has “millions” of users and 3 billion messages sent to date. Across its 1.7 million user reviews on both app stores, the app averages a 4.8 rating.
The new subscription program is only one way Marco Polo is working to gain traction for its app in the coronavirus era.
The company also recently launched a program called Channels by Marco Polo into beta testing, which allows creators to reach fans through the Marco Polo platform, but via a dedicated app.
The program is aimed at those with a following — like leaders, speakers, facilitators, creators, fitness instructors, and health and career coaches — who want to offer their content to a paid membership base.
While these creators could publish to social media platforms and then try to monetize in other ways, like through ads or brand deals, Marco Polo offers a way to facilitate more private one-to-many interactions.
The advantages of this program is that the content won’t be at the mercy of changing algorithms or interrupted with ads. However, as a paid membership program, it limits exposure. That means it would likely only supplement the efforts creators made across social media to raise awareness of their offerings and their personal brand, in order to gain new subscribers.
The program is not broadly available, but is being used by a handful of testers today.
The Channels program is also aimed at helping Marco Polo generate revenue, as the company takes a 10% cut of the monthly membership fees charged by the creators.
The new Marco Polo Plus subscription service replaces an older, less feature-rich service that never gained traction. Along with the new Channels program, the company hopes stay ad-free and turn a profit.
“From the time Marco Polo was founded, we’ve never shown ads in the app. We will never use social comparisons or manipulate algorithms, as so many social networking companies must do for their business model,” explains CEO and co-founder Vlada Bortnik. “We believe that Marco Polo Plus is the best version of our app to date, and subscription is an important part of our strategy to achieve profitability. Based on our early pilot of Channels by Marco Polo, we’re optimistic that it also has the potential to contribute significantly to our monetization goals,” she continued.
“I know we can become a sustainable business in a way that feels true to our brand values of authenticity and trust,” Bortnik added.
Marco Polo’s parent company Joya Communications has raised at least $25 million in funding from investors including Benchmark, Stanford’s StartX Fund, Matrix Partners, Battery Ventures, Altos Ventures, Evolve Ventures, and others, according to Crunchbase. The company declined to comment its total raise or investor lineup, however.
