At the Snapdragon Tech Summit 2021 yesterday, Qualcomm introduced their new always-on camera capabilities in the Snapdragon 8 Gen 1 processor, which is expected to arrive in high-end Android phones early next year. The company says this new feature will let users wake and unlock their phone without having to pick it up or have it instantly lock when it no longer sees their face. Even though Judd Heape, Qualcomm Technologies vice president of product management, said that the "always-on camera data never leaves the secure sensing hub while it's looking for faces," it raises a serious privacy concern that "far outweighs any potential convenience benefits," argues The Verge's Dan Seifert. From the report: Qualcomm is framing the always-on camera as similar to the always-on microphones that have been in our phones for years. Those are used to listen for voice commands like "Hey Siri" or "Hey Google" (or lol, "Hi Bixby") and then wake up the phone and provide a response, all without you having to touch or pick up the phone. But the key difference is that they are listening for specific wake words and are often limited with what they can do until you do actually pick up your phone and unlock it. It feels a bit different when it's a camera that's always scanning for your likeness.

It's true that smart home products already have features like this. Google's Nest Hub Max uses its camera to recognize your face when you walk up to it and greet you with personal information like your calendar. Home security cameras and video doorbells are constantly on, looking for activity or even specific faces. But those devices are in your home, not always carried with you everywhere you go, and generally don't have your most private information stored on them, like your phone does. They also frequently have features like physical shutters to block the camera or intelligent modes to disable recording when you're home and only resume it when you aren't. It's hard to imagine any phone manufacturer putting a physical shutter on the front of their slim and sleek flagship smartphone.

Lastly, there have been many reports of security breaches and social engineering hacks to enable smart home cameras when they aren't supposed to be on and then send that feed to remote servers, all without the knowledge of the homeowner. Modern smartphone operating systems now do a good job of telling you when an app is accessing your camera or microphone while you're using the device, but it's not clear how they'd be able to inform you of a rogue app tapping into the always-on camera. [...] But even if it's not found in every phone next year, the mere presence of the feature means that it will be used by someone at some point. It sets a precedent that is unsettling and uncomfortable; Qualcomm may be the first with this capability, but it won't be long before other companies add it in the race to keep up. Maybe we'll just start having to put tape on our smartphone cameras like we already do with laptop webcams.

Over 300,000 Android smartphone users have downloaded what turned out to be banking trojans after falling victim to malware that has bypassed detection by the Google Play app store. ZDNet reports: Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions that are advertised in order to avoid users getting suspicious. In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections.

The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users -- researchers describe it as an "advanced" banking trojan that can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user's screen, while a keylogger allows attackers to record all information entered into the phone. [...] The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien, an Android banking trojan that can also steal two-factor authentication capabilities and which has been active for over a year. The malware has received 95,000 installations via malicious apps in the Play Store. [...] The other two forms of malware that have been dropped using similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads. ThreatFabric has linked Hydra and Ermac to Brunhilda, a cyber-criminal group known to target Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information. ThreatFabric has reported all of the malicious apps to Google and they've either already been removed or are under review.

An anonymous reader writes: People running Android phones may want to hold off upgrading to Android 12 if they also use apps purchased through the Amazon Appstore. The Appstore app itself is not compatible with Android 12, which prevents many, if not all, apps purchased and downloaded via Amazon from running. The Android OS update began to be rolled out to Pixel phones over a month ago, and more recently, newer Samsung Galaxy handsets, such as the S21. Amazon has acknowledged the problem in a 90-post support forum thread, as well as in the Appstore app itself, but has not provided a timeline for a fix to restore users' apps.

Mozilla announced last week via a support article that its Firefox Lockwise password manager app will reach end-of-life on December 13th. The final release versions are 1.8.1 (iOS) and 4.0.3 (Android) and will no longer be available to download or reinstall after that date. The Verge reports: What started in 2018 as a small experimental mobile app called Lockbox ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and desktop devices to a small but enthusiastic following of Firefox fans. The app was also later adapted as a Firefox extension. It seemed like it was apt to stick around for the long run.

The support article recommends that users continue accessing passwords using the native Firefox browsers on desktop and mobile. In an added note on the support site, Mozilla suggests that later in December, the Firefox iOS app will gain the ability to manage Firefox passwords systemwide. The note alludes to Mozilla adopting the features of Lockwise and eventually integrating them into the Firefox browser apps natively on all platforms.

An anonymous reader quotes a report from The Verge: Tile popularized marking items and tracking them from your phone with its small Bluetooth tags, but suddenly faces more competition from giants like Apple, Amazon, Google, and Samsung. The company that started out of an incubator and crowdfunding campaign has announced it will be acquired by Life360, which calls itself a "leading family safety platform." The deal is valued at $205 million and is expected to close in the first quarter of 2022. Tile has developed its product line over the years with a variety of different trackers and partnerships with other companies to use its technology. It also has a subscription service, Tile Premium, with extra features, battery replacements, and insurance against potential losses. However, the game may have changed once Apple and Google started building their own item-locating features into iPhones and Android devices.

Life360 bills itself as an overall family safety app, with location sharing between family members, crash detection, and other features. Over the summer, it announced that it has over 1 million paying customers and reported its valuation had crossed $1 billion. It also acquired another item locating hardware startup, Jiobit, which makes cellular-connected trackers for kids and pets. Life360 expects the deal will increase the global footprint for both companies, Tile's non-Bluetooth Finding Network, and create a larger combined subscriber base. Currently listed on the stock exchange in Australia, Life360 says it has plans for a "potential dual listing in the US" next year.

Apple sued the NSO Group, the Israeli surveillance company, in federal court on Tuesday, another setback for the beleaguered firm and the unregulated spyware industry. From a report: The lawsuit is the second of its kind -- Facebook sued the NSO Group in 2019 for targeting its WhatsApp users -- and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools. Apple, for the first time, seeks to hold NSO accountable for what it says was the surveillance and targeting of Apple users. Apple also wants to permanently prevent NSO from using any Apple software, services or devices, a move that could render the company's Pegasus spyware product worthless, given that its core business is to give NSO's government clients full access to a target's iPhone or Android smartphone.

Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO's abuse of its products. Apple said it would donate the proceeds from those damages to organizations that expose spyware. Since NSO's founding in 2010, its executives have said that they sell spyware to governments only for lawful interception, but a series of revelations by journalists and private researchers have shown the extent to which governments have deployed NSO's Pegasus spyware against journalists, activists and dissidents. Apple executives described the lawsuit as a warning shot to NSO and other spyware makers. "This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter," Ivan Krstic, head of Apple security engineering and architecture, said in an interview on Monday.

Long-time tlhIngan writes: Tim Sweeney is at it again. The CEO of Epic Games blasts Apple and Google and calls for a universal app store that works across all platforms. Naturally, he's proposing that Epic Games manage the store across iOS, Android, Xbox, PC, Nintendo and Sony. Bloomberg (paywalled) has more details. "What the world really needs now is a single store that works with all platforms," said Sweeney in an interview at the Global Conference for Mobile Application Ecosystem Fairness in Seoul, South Korea. "Right now software ownership is fragmented between the iOS App Store, the Android Google Play marketplace, different stores on Xbox, PlayStation, and Nintendo Switch, and then Microsoft Store and the Mac App Store." Sweeney added that Epic Games is working with developers and service providers to create a system to allow users "to buy software in one place, knowing that they'd have it on all devices and all platforms."

"There's a store market, there's a payments market, and there are many other related markets. And it's critical that antitrust enforcement not allow a monopolist in one market to use their control of that market to impose control over unrelated markets." He went on to accuse Apple of complying "with oppressive foreign laws" while "ignoring laws passed by Korea's democracy." "Apple must be stopped," he says.

An anonymous reader quotes a report from ZDNet: Bilibili has joined other Chinese technology powerhouses such as ByteDance, TikTok's parent company, and its rival Kuaishou, in joining the Open Invention Network (OIN). The OIN is the world's largest patent non-aggression consortium. It protects Linux and related open source software and the companies behind them from patent attacks and patent trolls. The OIN recently broadened its scope from core Linux programs and adjacent open source code by expanding its Linux System Definition to other patents such as the Android Open Source Project (AOSP) and the Extended File Allocation Table exFAT file system. The OIN does this by practicing patent non-aggression in core Linux and related open source technologies by cross-licensing Linux System patents to one another on a royalty-free basis. Patents owned by OIN are similarly licensed royalty-free to any organization that agrees not to assert its patents against the Linux System. Any company can do this by simply signing the OIN license online.

As Wang Hao, Bilibili's VP, explained, "We are committed to opening and sharing technologies and providing positive motivation in the innovation field of playback transmission, interactive entertainment, and cloud-native ecology through open source projects. Linux and open source are important software infrastructures that promote business developments. Our participation in the OIN community demonstrates our consistent and ongoing commitment to shared innovation. In the future, we will also firmly support Linux's open source innovation."

Google was so worried about Epic Games sidestepping its app store with Fortnite that it created a task force to confront the issue, according to a legal filing by the game developer. From a report: The task force was created after Epic began offering an Android version of the hugely popular game through Samsung Electronics's Galaxy Store and directly through Epic's website in 2018, giving users a way to bypass the Google Play store, according to the filing. Epic's efforts to avoid paying commissions on app stores from Google and Apple reached a flashpoint last year when both companies removed Fortnite and the game's creator sued them. The legal showdown has help draw criticism and regulatory scrutiny to the app store policies of Alphabet's Google and Apple, which are seen as a dominant force in mobile software. In October, Google countersued, arguing that Epic pushed an "unapproved" version of Fortnite on Android phones that placed users at risk. Google has said that its app store isn't a monopoly since the company allows other stores to run on Android devices, unlike Apple.

"An unprivileged application can corrupt data in memory by accessing 'hammering' rows of DDR4 memory in certain patterns millions of times a second, giving those untrusted applications nearly unfettered system privileges," writes long-time Slashdot reader shoor. Ars Technica reports: Rowhammer attacks work by accessing -- or hammering -- physical rows inside vulnerable chips millions of times per second in ways that cause bits in neighboring rows to flip, meaning 1s turn to 0s and vice versa. Researchers have shown the attacks can be used to give untrusted applications nearly unfettered system privileges, bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources, and root or infect Android devices, among other things. All previous Rowhammer attacks have hammered rows with uniform patterns, such as single-sided, double-sided, or n-sided. In all three cases, these "aggressor" rows -- meaning those that cause bitflips in nearby "victim" rows -- are accessed the same number of times.

Research published on Monday presented a new Rowhammer technique. It uses non-uniform patterns that access two or more aggressor rows with different frequencies. The result: all 40 of the randomly selected DIMMs in a test pool experienced bitflips, up from 13 out of 42 chips tested in previous work (PDF) from the same researchers. "We found that by creating special memory access patterns we can bypass all mitigations that are deployed inside DRAM," Kaveh Razavi and Patrick Jattke, two of the research authors, wrote in an email. "This increases the number of devices that can potentially be hacked with known attacks to 80 percent, according to our analysis. These issues cannot be patched due to their hardware nature and will remain with us for many years to come."

The non-uniform patterns work against Target Row Refresh. Abbreviated as TRR, the mitigation works differently from vendor to vendor but generally tracks the number of times a row is accessed and recharges neighboring victim rows when there are signs of abuse. The neutering of this defense puts further pressure on chipmakers to mitigate a class of attacks that many people thought more recent types of memory chips were resistant to. In Monday's paper, the researchers wrote: "Proprietary, undocumented in-DRAM TRR is currently the only mitigation that stands between Rowhammer and attackers exploiting it in various scenarios such as browsers, mobile phones, the cloud, and even over the network. In this paper, we show how deviations from known uniform Rowhammer access patterns allow attackers to flip bits on all 40 recently-acquired DDR4 DIMMs, 2.6x more than the state of the art. The effectiveness of these new non-uniform patterns in bypassing TRR highlights the need for a more principled approach to address Rowhammer." While PCs, laptops, and mobile phones are most affected by the new findings, the report notes that cloud services like AWS and Azure "remain largely safe from Rowhammer because they use higher-end chips that include a defense known as ECC, short for Error Correcting Code."

"Concluding, our work confirms that the DRAM vendors' claims about Rowhammer protections are false and lure you into a false sense of security," the researchers wrote. "All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed."

Huawei, whose smartphone business has been devastated by U.S. sanctions, is planning to license its handset designs to third parties as a way to gain access to critical components, Bloomberg is reporting, citing people with knowledge of the matter. From the report: The Shenzhen-based tech giant is considering licensing its designs to a unit of state-owned China Postal and Telecommunications Appliances Co, or PTAC, which will then seek to buy parts barred under the Trump-era blacklisting, said one of the people, asking not to be identified discussing internal matters. The unit, known as Xnova, is already selling Huawei-branded Nova phones on its e-commerce site and the partnership will see it offer self-branded devices based on the larger company's designs.

Chinese telecom equipment maker TD Tech Ltd. will also sell some phones featuring Huawei's designs under its own brand, another person said. The partnerships are subject to change as negotiations are still ongoing. The move may be Huawei's best chance at salvaging its smartphone business after U.S. sanctions cut off its access to key chipmaker Taiwan Semiconductor Manufacturing Co, Google's Android apps and Qualcomm's 5G wireless modems. Since Huawei first came under fire from the Trump administration, its shrinking consumer business has seen sales fall for four straight quarters.

This week, following successful tests on Android smartphones and tablets, Netflix has announced that it will bring AV1 to TVs. 9to5Google reports: In a blog post this week, Netflix confirms it will start using the AV1 codec on some TVs. AV1, which has been available since 2018, allows for the more efficient encoding and decoding of data for streaming, leading to higher quality for the end user and better use of bandwidth for providers. However, the codec relies on hardware support. To ensure that TVs using AV1 streams will provide a good experience, Netflix says it analyzes the steam to ensure the device is spec-compliant for AV1 decoding.

For the time being, Netflix isn't specifically announcing which devices will support AV1 outside of the Netflix app on Sony's PS4 Pro console. On other TVs, support is only specified as working on "a number of AV1 capable TVs." In theory, this should include a considerable number of Android TV models.

Alphabet unit Google lost an appeal against a 2.42-billion-euro ($2.8-billion) antitrust decision on Wednesday, a major win for Europe's competition chief in the first of three court rulings central to the EU push to regulate big tech. From a report: Competition Commissioner Margrethe Vestager fined the world's most popular internet search engine in 2017 over the use of its own price comparison shopping service to gain an unfair advantage over smaller European rivals. The shopping case was the first of three decisions that saw Google rack up 8.25 billion euros in EU antitrust fines in the last decade. The company could face defeats in appeals against the other two rulings involving its Android mobile operating system and AdSense advertising service, where the EU has stronger arguments, antitrust specialists say. The court's support for the Commission in its latest ruling could also strengthen Vestager's hand in her investigations into Amazon, Apple and Facebook.

Google launched a beta app today that people with speech impairments can use as a voice assistant while contributing to a multiyear research effort to improve Google's speech recognition. From a report: The goal is to make Google Assistant, as well as other features that use speech to text and speech to speech, more inclusive of users with neurological conditions that affect their speech. The new app is called Project Relate, and volunteers can sign up at g.co/ProjectRelate. To be eligible to participate, volunteers need to be 18 or older and "have difficulty being understood by others." They'll also need a Google account and an Android phone using OS 8 or later. For now, it's only available to English speakers in the US, Canada, Australia, and New Zealand. They'll be tasked with recording 500 phrases, which should take between 30 to 90 minutes to record.

Amid a heightened amount of scrutiny and tension surrounding the App Store and how users download and install apps on the iPhone, Apple CEO Tim Cook said today that customers who wish to sideload apps should consider purchasing an Android device as the experience offered by the iPhone maximizes their security and privacy. From a report: Speaking at The New York Times "DealBook" summit, Cook said that customers currently already have a choice between wanting a secure and protected platform or an ecosystem that allows for sideloading. "I think that people have that choice today, Andrew. If you want to sideload, you can buy an Android phone." Cook drew the comparison of sideloading to a carmaker selling a car without airbags or seatbelt, saying it would be "too risky." "I think that people have that choice today, Andrew, if you want to sideload, you can buy an Android phone. That choice exists when you go into the carrier shop. If that is important to you, then you should buy an Android phone. From our point of view, it would be like if I were an automobile manufacturer telling [a customer] not to put airbags and seat belts in the car. He would never think about doing this in today's time. It's just too risky to do that. And so it would not be an iPhone if it didn't maximize security and privacy," he said.

Stockholm's official app was a disaster. So annoyed parents built their own open source version -- ignoring warnings that it might be illegal. From a report: Commissioned in 2013, Skolplattform was intended to make the lives of up to 500,000 children, teachers, and parents in Stockholm easier -- acting as the technical backbone for all things education, from registering attendance to keeping a record of grades. The platform is a complex system that's made up of three different parts, containing 18 individual modules that are maintained by five external companies. The sprawling system is used by 600 preschools and 177 schools, with separate logins for every teacher, student, and parent. The only problem? It doesn't work. The Skolplattform, which has cost more than 1 billion Swedish Krona, SEK, ($117 million), has failed to match its initial ambition. Parents and teachers have complained about the complexity of the system -- its launch was delayed, there have been reports of project mismanagement, and it has been labelled an IT disaster. The Android version of the app has an average 1.2 star rating.

On October 23, 2020, Landgren, a developer and the CEO of Swedish innovation consulting firm Iteam, tweeted a hat design emblazoned with the words "Skrota Skolplattformen" -- loosely translated as "trash the school platform." He joked he should wear the hat when he picks his children up from school. Weeks later, wearing that very hat, he decided to take matters into his own hands. "From my own frustration, I just started to create my own app," Landgren says. He wrote to city officials asking to see the Skolplattform's API documents. While waiting for a response, he logged into his account and tried to work out whether the system could be reverse-engineered. In just a few hours, he had created something that worked. "I had information on my screen from the school platform," he says. "And then I started building an API on top of their lousy API." The work started at the end of November 2020, just days after Stockholm's Board of Education was hit with a 4 million SEK GDPR fine for "serious shortcomings" in the Skolplattform. Integritetsskyddsmyndigheten, Sweden's data regulator, had found serious flaws in the platform that had exposed the data of hundreds of thousands of parents, children, and teachers. In some cases, people's personal information could be accessed from Google searches. (The flaws have since been fixed and the fine reduced on appeal.) In the weeks that followed, Landgren teamed up with fellow developers and parents Johan Obrink and Erik Hellman, and the trio hatched a plan. They would create an open source version of the Skolplattform and release it as an app that could be used by frustrated parents across Stockholm. Building on Landgren's earlier work, the team opened Chrome's developer tools, logged into the Skolplattform, and wrote down all the URLs and payloads. They took the code, which called the platform's private API and built packages so it could run on a phone -- essentially creating a layer on top of the existing, glitchy Skolplattform.

The result was the Oppna Skolplattformen, or Open School Platform. The app was released on February 12, 2021, and all of its code is published under an open source license on GitHub. Anyone can take or use the code, with very few limitations on what they can do with it. If the city wanted to use any of the code, it could. But rather than welcome it with open arms, city officials reacted with indignation. Even before the app was released, the City of Stockholm warned Landgren that it might be illegal. In the eight months that followed, Stockholms Stad, or the City of Stockholm, attempted to derail and shut down the open source app. It warned parents to stop using the app and alleged that it might be illegally accessing people's personal information. Officials reported the app to data protection authorities and, Landgren claims, tweaked the official system's underlying code to stop the spin-off from operating at all.

Alphabet's Google said on Thursday it plans to allow third-party payment systems in South Korea to comply with a new law, marking the first time the U.S. tech giant has amended its payment policy for a specific country. From a report: Google's announcement comes after a Korea Communications Commission's (KCC) request for Google and Apple to come up with compliance plans for the new law, which bans major app store operators from forcing software developers to use their payments systems. Most of the new law went into effect in mid-September. The curb is the first such move by a major economy on the likes of Apple and Google, which face global criticism for requiring the use of proprietary payment systems that charge commissions of up to 30%.

In late August, parliament passed an amendment to South Korea's Telecommunications Business Act - dubbed the "anti-Google law" - banning big app store operators, such as Google and Apple from forcing developers to use their payment systems, effectively stopping them from charging commission on in-app purchases. "We respect the decision of the National Assembly, and we are sharing some changes to respond to this new law, including giving developers that sell in-app digital goods and services the option to add an alternative in-app billing system alongside Google Play's billing system for their users in South Korea," Google said in a statement.

Proposed European regulation that could force Apple to allow iPhone users to install software from the web would open '"Pandora's box" and could pose threats to entire networks of computers, Apple software senior vice president Craig Federighi said in a speech on Wednesday. From a report: The remarks at Web Summit in Lisbon, Portugal represent an escalation in Apple's rhetoric about what could go wrong if Apple is forced to change its App Store policies. [...] "European policymakers have often been ahead of the curve," Federighi said. "But requiring sideloading on iPhone would be a step backward. Instead of creating choice, it could open up a Pandora's Box of unreviewed malware and software."

The European Commission, the executive arm of the EU, presented the Digital Markets Act last December. The Act is designed to stop companies like Apple, Google and Meta, the company previously known as Facebook, from abusing their power. It contains a series of rules that would require them to open up their platforms to competitors. Failure to comply could result in fines as high as 10% of the companies' worldwide annual revenue. In a report filed with the U.S. SEC last month, Apple specifically named the Digital Markets Act and said that, if enacted, it could require changes to Apple's App Store that might harm the company's financial results. On Wednesday, Federighi didn't address the potential financial impact to Apple. Instead, he argued sideloading would cause users to be tricked into downloading malware. "Even if you have no intention of sideloading, people are routinely coerced or tricked into doing it," Federighi said, citing malware on Google's Android, which allows sideloading. Google warns users against doing so in system messages and pop-ups, however. Federighi argued that although technically skilled people might be able to identify malware on the internet, their parents or children might still be fooled, making everyone's iPhone data less secure.

The eNaira is supposed to live within a mobile wallet, have the same value and be interchangeable with the physical naira for everyday transactions. Nigerians believe the eNaira, which is governed by a centralized blockchain, is part of the central bank's drive to discourage cryptocurrencies' popularity among Nigeria's youth, just like China's effort with the digital yuan. From a report: And so last week, Nigeria's central bank made two types of eNaira wallets available on Google and Apple stores: one for individuals, and another for merchants. But some users say parts of the wallet for individuals have not worked properly. Fisayo Fosudo, a Nigerian YouTuber who reviews gadgets and apps, said he and three friends initially got error messages that the eNaira app could not match their emails to their bank verification numbers. He would later register successfully but found broken links that did not lead to helpful support pages on the central bank's website. "Was really looking forward to reviewing the eNaira app but it's been hard to get it to work seamlessly. We wait," Fosudo said. After many users left poor reviews for the Android version of the eNaira app for individuals, it was taken down. It had been downloaded 100,000 times before that. The Apple Store version remained available at press time.

Netflix, the video-streaming giant, began its expected foray into video games with the introduction of five mobile games to its users worldwide, playable initially on Android devices. From a report: The titles are included in a Netflix subscription, and there'll be no advertising or additional purchases required, Mike Verdu, Netflix's vice president of game development, said Tuesday. The streaming company has targeted video games as its next big thing -- it's an industry that's larger than the movie and TV businesses. Players logging in will see a dedicated games row and tab where they can choose which titles to play. Games for Apple's iPhone are also planned. The initial offering includes titles linked to Netflix shows, such as Stranger Things: 1984 and Stranger Things 3: The Game. Also included are Shooting Hoops, Card Blast and Teeter Up.