An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges. From a report: The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then. Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.

Tumblr is adding support for livestreaming via the video platform Livebox. The Verge reports: Tumblr has supported streaming in the past, but it did so by letting people share streams from other services like YouNow and YouTube. The new option is described as a native Tumblr streaming service powered by Livebox. (Livebox is operated by the Meet Group, a subsidiary of the dating app company ParshipMeet Group.) Livebox allows users to tip streamers, and by the same token, Tumblr will let you pay creators in a virtual currency called "Diamonds." Livebox provides AI- and human-powered moderation for streams, according to a press release; the service also lets streamers designate trusted viewers as moderators. The streaming service is so far only supported for people's primary Tumblr blog, not any side blogs under the same account.

The feature is being rolled out to US users on iOS and Android now, and a release for global users and the desktop site is planned for the future. More details are outlined in a blog post, which dubs the service Tumblr Live.

A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised. From a report: Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child's activities, but are explicitly marketed for spying on a spouse or domestic partner's devices without their permission. Its website boasts, "to catch a cheating spouse, you need Xnspy on your side," and, "Xnspy makes reporting and data extraction simple for you."

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person's phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect. Once installed, these apps will silently and continually upload the contents of a person's phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim's data. But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims' phones. Xnspy is no different.

Recently the EU voted to require tech companies like Apple to standardize on USB-C charging ports.

A CNN opinion piece calls this "a hallelujah moment for iPhone owners everywhere." iPhone cords are a very big business: There are reportedly about 1.2 billion active iPhones out in the wild. And if their charging cables need to be replaced once or twice a year as many users attest, at roughly $20 a pop, well, you could just about buy a Twitter a year for that sum.... While the new edict only directly applies to devices sold in the EU, India looks set to follow in Europe's footsteps....

[T]he move is almost certain to serve as the push that gets Apple to finally abandon its bespoke-battery-booster approach for future versions of the world's most popular smartphone. Even Greg Joswiak, the company's global head of marketing, admitted that the EU standardization push means the lifespan of Apple Lightning charging cables is likely finally over. And right on time, given that ten years ago Apple called it the "cable standard for the next decade...." It might even dilute some of the tribal tension between iPhone and Android users, assuming the latter don't lord over us the fact that most of them have already been charging with C for half a decade. (We still have our blue message bubbles, greenies!)

And it might generally reduce the temptation among tech companies, chief among them Apple, to "innovate" by introducing proprietary parts that regularly force an entire domino cascade of costly upgrades. (The fact that every new iPhone seems to be a random millimeter different in size and shape in each direction already means that brand new cases, cradles and screen protectors have to be repurchased along with new handsets, all for the privilege of a few hundred pixels of fresh real estate.) While that process may offer a welcome cash stimulus to the peripherals and accessories industry, it contributes to the massive environmental burden caused by e-waste, estimated at about 60 million tons a year — an amount heavier than the world's heaviest man-made object, the Great Wall of China.

schwit1 shares a report from Popular Science: [T]wo women filed a potential class action lawsuit against Apple, alleging the company has ignored critics' and security experts' repeated warnings that the company's AirTag devices are being repeatedly used to stalk and harass people. Both individuals were targets of past abuse from ex-partners and argued in the filing that Apple's subsequent safeguard solutions remain wholly inadequate for consumers. "With a price point of just $29, it has become the weapon of choice of stalkers and abusers," reads a portion of the lawsuit, as The New York Times reported [...].

Apple first debuted AirTags in April 2021. Within the ensuing eight months, at least 150 police reports from just eight precincts reviewed by Motherboard explicitly mentioned abusers utilizing the tracking devices to stalk and harass women. In the new lawsuit, plaintiffs allege that one woman's abuser hid the location devices within her car's wheel well. At the same time, the other woman's abuser placed one in their child's backpack following a contentious divorce, according to the suit. Security experts have since cautioned that hundreds more similar situations likely remain unreported or even undetected.

The lawsuit (PDF), published by Ars Technica, cites them as "one of the products that has revolutionized the scope, breadth, and ease of location-based stalking," arguing that "what separates the AirTag from any competitor product is its unparalleled accuracy, ease of use (it fits seamlessly into Apple's existing suite of products), and affordability." The proposed class action lawsuit seeks unspecified damages for owners of iOS or Android devices which have been tracked with an AirTag or are at risk of being stalked. Since AirTags' introduction last year, at least two murders have occurred directly involving using Apple's surveillance gadget, according to the lawsuit.

An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.

Last year, Google announced Android Open Source Project (AOSP) support for Rust, and today the company provided an update, while highlighting the decline in memory safety vulnerabilities. 9to5Google reports: Google says the "number of memory safety vulnerabilities have dropped considerably over the past few years/releases."; Specifically, the number of annual memory safety vulnerabilities fell from 223 to 85 between 2019 and 2022. They are now 35% of Android's total vulnerabilities versus 76% four years ago. In fact, "2022 is the first year where memory safety vulnerabilities do not represent a majority of Android's vulnerabilities."

That count is for "vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally." During that period, the amount of new memory-unsafe code entering Android has decreased: "Android 13 is the first Android release where a majority of new code added to the release is in a memory safe language. "

Rust makes up 21% of all new native code in Android 13, including the Ultra-wideband (UWB) stack, DNS-over-HTTP3, Keystore2, Android's Virtualization framework (AVF), and "various other components and their open source dependencies." Google considers it significant that there have been "zero memory safety vulnerabilities discovered in Android's Rust code" so far across Android 12 and 13. Google's blog post today also talks about non-memory-safety vulnerabilities, and its future plans: "... We're implementing userspace HALs in Rust. We're adding support for Rust in Trusted Applications. We've migrated VM firmware in the Android Virtualization Framework to Rust. With support for Rust landing in Linux 6.1 we're excited to bring memory-safety to the kernel, starting with kernel drivers.

Google will take its appeal of the record $4.5 billion European Union antitrust fine over its dominance in the Android mobile market to the bloc's top court. From a report: The penalty hits at the heart of the US tech giant's power over the Android mobile-phone ecosystem, and in September judges at a lower court mostly sided with the European Commission's arguments but reduced the overall fine to $4.3 billion.

Android OEMs still don't provide the six years of updates you get with Apple phones, but some manufacturers are trying to close that gap. From a report: OnePlus is adding an extra year to its smartphone update promise and is now offering four years of major OS updates and five years of security updates. Timeline-wise, this plan matches Samsung's, though Samsung offers monthly security updates and OnePlus doesn't. The company is still only promising security updates every other month, so it can't do too much bragging. Android-maker Google -- who you'd think would have the best update plan -- is in a distant third, with only three years of OS updates and five years of security updates.

For the last thirteen years the Free Software Foundation has published its Ethical Tech Giving Guide, notes a recent FSF blog post. "The right to determine what a device you've purchased does or doesn't do is something too valuable to lose."

Or, as they put it in the guide: It's time to reclaim our freedom from the abuse of multinational corporations, who use proprietary software and malicious "antifeatures" to keep us powerless, dependent, and surveilled by the devices that we use. There's no time at which it's more important to turn these unfortunate facts into positive action than the holiday season.

The gifts that we recommend here might not be making headlines, but they're the rare exception to the apparent rule that devices should mistreat their users.
For technical users, the guide recommends pairing the FSF-sponsored Replicant, a fully-free distribution of Android, with the F-Droid app repository, which has hundreds of applications including Syncthing, Tor, Minetest, and Termux.

They also praise the X200 laptop, "one of the few home user devices that's able to run fully free software from top to bottom." With easy-to-repair hardware, it's the laptop most frequently used in the FSF's own office — just one of several freedom-respecting devices from Vikings. And there's shout-outs to MNT's Reform laptop, products from PINE64 and Purism, plus a freedom-respecting VPN, and a mini wifi adapter .

The guide even recommends places to buy DRM-free ebooks, including No Starch Press, Smashwords, Leanpub, Standard Ebooks, Nantucket E-Books, Libreture (which also offers a storage solution). Meanwhile for print books, there's the Gnu Press Shop

And it also recommends sources for DRM-free music (including Bandcamp, Emusic, the Smithsonian Institute's Folkways, the classic punk label Dischord, HDTracks, and Mutopia).

And it also tells you where to find free (as in freedom) films...

Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos chipsets. From a report: The company's Project Zero team says it flagged the problems to ARM (which produces the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn't deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.

Researchers identified five new issues in June and July and promptly flagged them to ARM. "One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition," Project Zero's Ian Beer wrote in a blog post. "These would enable an attacker to continue to read and write physical pages after they had been returned to the system." Beer noted that it would be possible for a hacker to gain full access to a system as they'd be able to bypass the permissions model on Android and gain "broad access" to a user's data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.

Frederick P. Brooks Jr., whose innovative work in computer design and software engineering helped shape the field of computer science, died on Thursday at his home in Chapel Hill, N.C. He was 91. His death was confirmed by his son, Roger, who said Dr. Brooks had been in declining health since having a stroke two years ago. The New York Times reports: Dr. Brooks had a wide-ranging career that included creating the computer science department at the University of North Carolina and leading influential research in computer graphics and virtual reality. But he is best known for being one of the technical leaders of IBM's 360 computer project in the 1960s. At a time when smaller rivals like Burroughs, Univac and NCR were making inroads, it was a hugely ambitious undertaking. Fortune magazine, in an article with the headline "IBM's $5,000,000,000 Gamble," described it as a "bet the company" venture.

Until the 360, each model of computer had its own bespoke hardware design. That required engineers to overhaul their software programs to run on every new machine that was introduced. But IBM promised to eliminate that costly, repetitive labor with an approach championed by Dr. Brooks, a young engineering star at the company, and a few colleagues. In April 1964, IBM announced the 360 as a family of six compatible computers. Programs written for one 360 model could run on the others, without the need to rewrite software, as customers moved from smaller to larger computers. The shared design across several machines was described in a paper, written by Dr. Brooks and his colleagues Gene Amdahl and Gerrit Blaauw, titled "Architecture of the IBM System/360." "That was a breakthrough in computer architecture that Fred Brooks led," Richard Sites, a computer designer who studied under Dr. Brooks, said in an interview.

But there was a problem. The software needed to deliver on the IBM promise of compatibility across machines and the capability to run multiple programs at once was not ready, as it proved to be a far more daunting challenge than anticipated. Operating system software is often described as the command and control system of a computer. The OS/360 was a forerunner of Microsoft's Windows, Apple's iOS and Google's Android. At the time IBM made the 360 announcement, Dr. Brooks was just 33 and headed for academia. He had agreed to return to North Carolina, where he grew up, and start a computer science department at Chapel Hill. But Thomas Watson Jr., the president of IBM, asked him to stay on for another year to tackle the company's software troubles. Dr. Brooks agreed, and eventually the OS/360 problems were sorted out. The 360 project turned out to be an enormous success, cementing the company's dominance of the computer market into the 1980s. "Fred Brooks was a brilliant scientist who changed computing," Arvind Krishna, IBM's chief executive and himself a computer scientist, said in a statement. "We are indebted to him for his pioneering contributions to the industry."

Dr. Brooks published a book in 1975 titled, "The Mythical Man-Month: Essays on Software Engineering." It was "a quirky classic, selling briskly year after year and routinely cited as gospel by computer scientists," reports the Times.

Longtime Slashdot reader BenFenner writes: While Chromium recently abandoned the JPEG-XL format (to much discussion on the feature request), it seems the Pale Moon browser quietly became the first to release support for the much-awaited image format. For those unfamiliar with Pale Moon, it is a Goanna-based web browser available for Windows, Linux and Android, focusing on efficiency and ease of use. Pale Moon 31.4.0 also adds support for MacOS 13 "Ventura" and addresses a number of performance- and security-related issues. A full list of the changes/fixes are available in the release notes.

Support for JPEG-XL was confirmed on GitHub.

An anonymous reader quotes a report from Ars Technica: Google announced that Android's space-saving app file format, Android App Bundles (AABs), will finally be the standard on Android TV. By May 2023 -- that's in six months -- Google will require all Android TV apps to switch to the new file format, which can cut down on app storage requirements by 20 percent.

Android App Bundles were announced with Android 9 in 2018 as a way to save device storage by breaking an app up into modules, rather than one big monolithic APK (the old Android app format) with every possible piece of data. Android apps support a ton of different languages, display resolutions, and CPU architectures, but each individual device only needs to cherry-pick a few of those options to work. Android App Bundles integrate with the Play Store to create a dynamic delivery system for each module. Your phone communicates which modules it needs to the Play Store, and Google's servers bundled up an appropriate package and sent it to your device. It's even possible for developers to move some lesser-used app functionality into a bundle that can be downloaded on the fly if a user needs it. [...]

Google says Android App Bundles average around a 20 percent space savings compared to a monolithic APK, which will be a huge help for these storage-starved devices. Since 2021, they have been the required standard for phones and tablets, and in six months, TV apps will be required to use them, too. Developers who don't switch in time will have their TV apps hidden from search, so they'd better get to work! Google estimates that "in most cases it will take one engineer about three days to migrate."

The UK's antitrust watchdog has moved to deepen its scrutiny of the Apple and Google mobile duopoly -- kicking off an in-depth investigation into elements of the pair's mobile ecosystem dominance by probing their approach toward rival mobile browsers and cloud gaming services which it's concerned could be restricting competition and harming consumers. From a report: The move follows a market study conducted by the Competition and Markets Authority (CMA) last year that led to a final report this summer which concluded there are substantial competition concerns -- with the regulator finding the tech giants have what it described as "an effective duopoly on mobile ecosystems that allows them to exercise a stranglehold over operating systems, app stores and web browsers on mobile devices."

At the same time, the CMA proposed to undertake what's known as a market investigation reference (MIR) with two points of focus: One looking at Apple's and Google's market power in mobile browsers; and another probing Apple's restrictions on cloud gaming through its App Store. That proposal for an MIR kicked off a standard consultation process, with the regulator seeking feedback on the scope of its proposed probe, and today it's confirmed the decision to make a market investigation -- opening what's referred to as a 'Phase 2' (in-depth) investigation which could take up to 18 months to complete. The probe will focus on the supply of mobile browsers and browser engines; and the distribution of cloud gaming services through app stores on mobile devices, the CMA said today.

An anonymous reader quotes a report from CNET: Fortnite developer Epic Games said Google paid the equivalent of $360 million to Call of Duty developer Activision Blizzard as part of a broad agreement that included a promise the gaming giant would not create a rival app store. The move, Epic said, helped solidify Google's hold on phones and tablets powered by its Android software. In the filing, newly unredacted Thursday, Epic said Google paid other developers in a similar way to Activision. Epic cited an agreement Google struck with Tencent, the Chinese company that owns League of Legends developer Riot Games, giving it about $30 million over one year. Like Activision, that money too was part of a larger agreement for Riot to maintain its Google-powered games and spend money promoting them as part of Android.

Google and Activision Blizzard both denied Epic's allegations about competing app stores. Google said the agreements are designed to provide incentives for developers to create apps for Google Play. "Epic is mischaracterizing business conversations," a Google spokesperson said in a statement. "It does not prevent developers from creating competing app stores, as Epic falsely alleges." Activision, for its part, said Google never "asked us, pressured us, or made us agree not to compete with Google Play." Activision is in the midst of being acquired by software giant Microsoft for $68.7 billion. [...] The filing is the latest allegation in Epic's ongoing lawsuit against Google, which it accuses of operating a monopoly with Google Play, which sells apps for Android. Epic's ongoing lawsuit is similar to another battle it's waging against Apple and its App Store over similar concerns of monopolistic practices. In both cases, Epic is pushing the companies to reduce the control they exert over their respective platforms, both in terms of how phone and tablet owners pay for apps and where to download them from.

It's unclear whether Epic's argument that Google paid developers to not compete will win in an eventual court case. Epic said in its complaint that "Google understood" the agreement would mean that Activision would "abandon its plans to launch a competing app store, and Google intended this result." But Armin Zerza, now Activision Blizzard's finance chief, said in one of the court filings that the company chose not to launch a rival app store because of the risk of failure, in addition to costs for development and marketing. When asked about entering a deal with Google that "accomplished your objectives," Zerza said that the Activision Blizzard board approved a deal with the Android maker because it "created multi-hundred-million dollars of value for us across multiple ecosystems." If Activision is ultimately purchased by Microsoft though, it may end up helping create an app store after all. Microsoft told regulators in October that it intends to build its own mobile app store to rival Google and Apple. Activision's deep library of popular games, including Candy Crush Saga and World of Warcraft, will be a key part of that effort. "Epic's allegations are nonsense," an Activision representative said in a statement sent to PC Gamer. "We can confirm that Google never asked us, pressured us, or made us agree not to compete with Google Play -- and we've already submitted documents and testimony that prove this."

Google announced today that it's introducing a slew of new Maps, Search and Shopping features. The company revealed a majority of the new features during its Search On event in September and is now starting to roll them out to users. TechCrunch reports: Search
Starting today, users will be able to use Search to find their favorite dish at a restaurant near them. For example, you can search "truffle mac and cheese near me" to see which nearby restaurants carry the dish on their menu. Once you find a specific dish that you're looking for, you can get more information about its price, ingredients and more. Another new Search functionality lets you use Google's multisearch feature to find specific food near you. Say you see something tasty-looking online, but don't know what it is or where to find it. You can now use Lens in the Google app for Android or iOS to snap a picture or take a screenshot of a dish and add the words "near me" to find a place that sells it nearby. Later this year, Google is going roll out an update to its Lens AR Translate capabilities so users can more seamlessly translate text on complex backgrounds. Instead of covering up the original text like it currently does, Google is going to erase the text and re-create the pixels underneath with an AI-generated background, and then overlay the translated text on top of the image.

Maps
As for the new Maps features, Google is launching a new visual search experience called Live View in London, Los Angeles, New York, Paris, San Francisco and Tokyo. [...] In addition to displaying information about where places are, users will be able to see key information about each spot overlaid, such as whether the location is busy, if its open, what the price range is, etc. Another new Maps feature makes it easier for EV owners to find the best charging station for their vehicle. Now, you can search for "EV charging stations" and select the "fast charge" filter. You can also filter for stations that offer your EV's plug type. Google also announced that it's expanding its "accessible places" feature globally after initially launching it in the U.S., Australia, Japan and the U.K. in 2020. The feature is designed to help people determine whether a place is wheelchair accessible.

Shopping
Google has announced a new AR shopping feature that is designed to make it easier to find your exact foundation match. The company says its new photo library features 148 models representing a diverse spectrum of skin tones, ages, genders, face shapes, ethnicities and skin types. As a result, it should be easier for shoppers to better visualize what different products will look like on them. [...] Users can now also shop for shoes using AR.