An anonymous reader quotes a report from TechCrunch: Security researchers say Chinese authorities are using a new type of malware to extract data from seized phones, allowing them to obtain text messages -- including from chat apps such as Signal -- images, location histories, audio recordings, contacts, and more. In a report shared exclusively with TechCrunch, mobile cybersecurity company Lookout detailed the hacking tool called Massistant, which the company said was developed by Chinese tech giant Xiamen Meiya Pico.

Massistant, according to Lookout, is Android software used for the forensic extraction of data from mobile phones, meaning the authorities using it need to have physical access to those devices. While Lookout doesn't know for sure which Chinese police agencies are using the tool, its use is assumed widespread, which means Chinese residents, as well as travelers to China, should be aware of the tool's existence and the risks it poses. [...]

The good news ... is that Massistant leaves evidence of its compromise on the seized device, meaning users can potentially identify and delete the malware, either because the hacking tool appears as an app, or can be found and deleted using more sophisticated tools such as the Android Debug Bridge, a command line tool that lets a user connect to a device through their computer. The bad news is that at the time of installing Massistant, the damage is done, and authorities already have the person's data. "It's a big concern. I think anybody who's traveling in the region needs to be aware that the device that they bring into the country could very well be confiscated and anything that's on it could be collected," said Kristina Balaam, a researcher at Lookout who analyzed the malware. "I think it's something everybody should be aware of if they're traveling in the region."

An anonymous reader quotes a report from Android Authority: Italian YouTuber Once Were Nerd covers a variety of retro gaming topics, but his reviews of ANBERNIC devices appear to be the straw that broke the camel's back. According to the video [here], customs enforcement officers from the Guardia di Finanza showed up at his home and office on April 15 with a search warrant to investigate promotion of pirated copyrighted materials. They seized a variety of ANBERNIC, Powkiddy, and TrimUI gaming handhelds from his collection. In total, more than 30 consoles were taken. The creator, assuming he didn't do anything wrong, complied with demands, providing full transcripts of his conversations and chats with gaming handheld manufacturers. The officers also took his phone, promising to return it in a few days. It was returned two months later, on June 15.

According to the video, officials are not required to disclose what exactly the charges are or who has brought them until the initial investigation is complete under Italian law. At that point, the case is either dismissed or goes to trial. The complaint specifically mentions reproduction of copyrighted material from Nintendo and Sony, but the case may originate from the agency itself. However, in the meantime officials have the option to shut down his channel, even before proving any wrongdoing. This is a scary prospect for any creator who has spent years building a channel, and unlike YouTube copyright strikes, there's likely no remedy.

Currently, officials contest that his reviews of ANBERNIC devices like the RG Slide, which often, but not always, ship with microSD cards filled with copyrighted ROMs, are punishable under Article 171 ter of the Italian Copyright Law. This law, which was originally written in 1941, allows for a maximum punishment of 15,000 euros (or 30 million Italian Lira, since the law pre-dates the Euro) and three years of jail time.

Plasma Bigscreen, KDE's TV-focused interface, is being revived after years of inactivity thanks to contributor Devin, who overhauled the UI, redesigned the Settings app, improved app launching, and updated key modules. While still in progress -- with features like HDMI-CEC remote support and a virtual keyboard pending -- the project aims to rejoin KDE's official Plasma release schedule, potentially in version 6.5. Neowin reports: If you have not heard of it, Plasma Bigscreen is a Plasma shell for televisions, with original support for the now-defunct Mycroft AI assistant. It used to provide a simple launcher for apps and custom "Mycroft Skills" before development stalled, causing most distributions to drop it. The project was left behind during the big transition to Plasma 6 last year because no one had ported it in time for the megarelease. After a friend of his started poking at the code, Devin stepped in to tackle the much-needed work. [...]

For anyone who wants to test this out, you can do as Devin did by installing Plasma Bigscreen on a Raspberry Pi using postmarketOS, though you would have to compile it yourself or pull from the nightly repos to get the latest changes. Applications like Kodi and VacuumTube (smart TV version of YouTube) work well with remote navigation, and some games like SuperTuxKart are playable. Controller support exists, but getting TV remotes to work over HDMI CEC is still untested. The project is far from finished; it still needs an arrow-navigable virtual keyboard and a clearer long-term direction now that Mycroft is gone. Still, the goal is to get it back into the official Plasma release schedule, possibly for version 6.5.

Google will merge ChromeOS and Android into a unified platform, according to Sameer Samat, President of Android Ecosystem at Google. "We're going to be combining ChromeOS and Android into a single platform, and I am very interested in how people are using their laptops these days and what they're getting done," Samat said during a recent interview.

An anonymous reader quotes a report from Ars Technica: For the second time in a year, Google has announced that it will render some of its past phones almost unusable with a software update, and users don't have any choice in the matter. After nerfing the Pixel 4a's battery capacity earlier this year, Google has now confirmed a similar update is rolling out to the Pixel 6a. The new July Android update adds "battery management features" that will make the phone unusable. Given the risks involved, Google had no choice but to act, but it could choose to take better care of its customers and use better components in the first place. Unfortunately, a lot more phones are about to end up in the trash. [...]

Pixel 4a units contained one of two different batteries, and only the one manufactured by a company called Lishen was downgraded. For the Pixel 6a, Google has decreed that the battery limits will be imposed when the cells hit 400 charge cycles. Beyond that, the risk of fire becomes too great -- there have been reports of Pixel 6a phones bursting into flames. Clearly, Google had to do something, but the remedies it settled on feel unnecessarily hostile to customers. It had a chance to do better the second time, but the solution for the Pixel 6a is more of the same. [...]

When Google killed the Pixel 4a's battery life, it offered a few options. You could have the battery replaced for free, get $50 cash, or accept a $100 credit in the Google Store. However, claiming the money or free battery was a frustrating experience that was rife with fees and caveats. The store credit is also only good on phones and can't be used with other promotions or discounts. And the battery swap? You'd better hope there's nothing else wrong with the device. If it has any damage, like cracked glass, it may not qualify for a free battery replacement.

Now we have the Pixel 6a Battery Performance Program with all the same problems. Pixel 6a owners can get $100 in cash or $150 in store credit. Alternatively, Google offers a free battery replacement with the same limits on phone condition. This is all particularly galling because the Pixel 6a is still an officially supported phone, with its final guaranteed update coming in 2027. Google also pulled previous software packages for this phone to prevent rollbacks. [...] If you have a Pixel 6a, the battery-killing update is rolling out now. You'll have no choice but to install it if you want to remain on the official software. Google has a support site where you can try to get a free battery swap or some cash.

BrianFagioli shares a report from NERDS.xyz: Android is changing how it gives developers access to early features. The company is replacing its old Developer Preview model with a new Canary channel that provides rolling updates all year long. This new approach is meant to give developers earlier and more consistent access to experimental tools and APIs.

Previously, Developer Previews had to be manually flashed onto devices. They only ran during the earliest stages of each release cycle and stopped once Android entered the beta phase. That meant promising features that were not quite ready for beta had nowhere to go and no way to collect feedback. The Canary channel solves that by running in parallel with the existing beta program and delivering over the air updates automatically.

Samsung on Wednesday unveiled three new foldable smartphones at a time when the company is facing increased competition from Chinese rivals such as Honor and Oppo, reports CNBC. The company's share of the global foldable phone market slipped to 45% in 2024, down from 54% a year earlier. Today's new devices include the ultra-thin Galaxy Z Fold 7, the clamshell-style Galaxy Z Flip 7, and the more affordable Flip 7 FE. Here's a breakdown of each: The Galaxy Z Fold 7 is super thin at a thickness of 8.9 millimeters (0.35 inches) closed and only 4.2 millimeters open. It's also much lighter than its predecessor, weighing 215 grams (7.62 ounces). These stats put the phone on par with both Honor's Magic V5 and the Oppo Find N5. The new Fold device has a 6.5-inch cover screen and an 8-inch main display when opened, making it bigger than its predecessor. It's also decked out with premium new cameras, featuring a 200-megapixel main lens, as well as a 10-megapixel telephoto sensor, 12-megapixel ultra-wide and two 10-megapixel front cameras on both the cover screen and on the main display.

Samsung's new Fold generation is, nevertheless, much more limited than other devices in the market when it comes to battery capacity. The Galaxy Z Fold 7 has a 4,400 milliampere-hour (mAh) battery -- far less than the 6,100 mAh power pack in Honor's Magic V5's or the Oppo Find N5's 5,600 mAh battery. Samsung says its device is capable of 24 hours of video playback.

Samsung's Galaxy Z Flip 7 is also thinner than its predecessor, coming in at 6.5 millimeters when opened flat. By contrast, the Galaxy Z Flip 6 has a depth of 6.9 millimeters when unfolded. The new phone has a 4.1-inch cover screen and a 6.9-inch main display. It comes with a 50-megapixel main camera and 12-megapixel ultra-wide sensor on the back and a 10-megapixel lens on the main display. It also has a bigger 4,300 mAh battery, which Samsung says supports 31 hours of video playtime on a single charge.

In addition to Flip 7, Samsung is also introducing a cheaper version of the phone, called the Galaxy Z Flip 7 FE, which is slightly smaller and thicker than its more premium counterpart. What about the AI features, you ask? They all include various AI-driven camera tools that can identify and suggest removal of unwanted people or objects in photos, and an audio eraser that filters out background noise in videos.

The Galaxy Z Flip 7 also integrates Gemini Live, allowing users to overlay the AI assistant during live video recordings -- for instance, to receive real-time outfit suggestions.

The Z Fold 7 starts at $1,999, and the Z Flip 7 starts at $1,099. Meanwhile, the Flip 7 FE is priced at $899.

An anonymous reader quotes a report from TechCrunch: Google announced on Tuesday that it's launching a new Gmail feature that is designed to help users easily manage their subscriptions and declutter their inboxes. The new "Manage subscriptions" tool is rolling out on the web, Android, and iOS in select countries. With the new feature, users can view and manage their subscription emails in one place and quickly unsubscribe from the ones they no longer want to receive.

Users can view their active subscriptions, organized by the most frequent senders, alongside the number of emails they've sent in the past few weeks. Clicking on a sender provides a direct view of all emails from them. If a user decides to unsubscribe, Gmail will send an unsubscribe request to the sender on their behalf. "It can be easy to feel overwhelmed by the sheer volume of subscription emails clogging your inbox: Daily deal alerts that are basically spam, weekly newsletters from blogs you no longer read, promotional emails from retailers you haven't shopped in years can quickly pile up," Chris Doan, Gmail's Director of Product, wrote in a blog post.

Users can access the new feature by clicking the navigation bar in the top-left corner of their Gmail inbox and then selecting "Manage subscriptions." [...] Google says the new feature will begin rolling out on the web starting Tuesday, with Android and iOS users starting to receive it on July 14 and July 21, respectively. It may take up to 15 days from the start of the rollout for the feature to reach every user, the company says. The Manage subscriptions feature is available to all Google Workspace customers, Workspace Individual Subscribers, and users with personal Google accounts.

Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. ArsTechnica: Users who don't want their previous settings to be overridden may have to take action. An email Google sent recently informing users of the change linked to a notification page that said that "human reviewers (including service providers) read, annotate, and process" the data Gemini accesses.

The email provides no useful guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours. The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible.

An anonymous reader quotes a report from Ars Technica: Epic Games, buoyed by the massive success of Fortnite, has spent the last few years throwing elbows in the mobile industry to get its app store on more phones. It scored an antitrust win against Google in late 2023, and the following year it went after Samsung for deploying "Auto Blocker" on its Android phones, which would make it harder for users to install the Epic Games Store. Now, the parties have settled the case just days before Samsung will unveil its latest phones.

The Epic Store drama began several years ago when the company defied Google and Apple rules about accepting outside payments in the mega-popular Fortnite. Both stores pulled the app, and Epic sued. Apple emerged victorious, with Fortnite only returning to the iPhone recently. Google, however, lost the case after Epic showed it worked behind the scenes to stymie the development of app stores like Epic's. Google is still working to avoid penalties in that long-running case, but Epic thought it smelled a conspiracy last year. It filed a similar lawsuit against Samsung, accusing it of implementing a feature to block third-party app stores. The issue comes down to the addition of a feature to Samsung phones called Auto Blocker, which is similar to Google's new Advanced Protection in Android 16. It protects against attacks over USB, disables link previews, and scans apps more often for malicious activity. Most importantly, it blocks app sideloading. Without sideloading, there's no way to install the Epic Games Store or any of the content inside it.

Auto Blocker is enabled by default on Samsung phones, but users can opt out during setup. Epic claimed in its suit that the sudden inclusion of this feature was a sign that Google was working with Samsung to stand in the way of alternative app stores again. Epic has apparently gotten what it wanted from Samsung -- CEO Tim Sweeney has announced that Epic is dropping the case in light of a new settlement. Sweeney said Samsung "will address Epic's concerns," without elaborating on the details. Samsung may stop making Auto Blocker the default or create a whitelist of apps, like the Epic Games Store, that can bypass Auto Blocker. Another possibility is that Epic and select third-party stores are granted special access while Auto Blocker remains on for others, balancing security and openness.

A "more interesting outcome," according to Ars, would be for Samsung to pre-install the Epic Games Store on its new phones.

Samsung is working on a trifold smartphone that could be unveiled at the company's July 9th Unpacked event, according to leaked animations discovered in the latest One UI 8 build update. The animations, spotted by Android Authority, reveal a three-panel device with a dual-hinge folding mechanism where the left-hand display folds inward while the right-hand display sandwiches over the top.

The device features a triple-camera setup on the rear of the right-hand panel when fully unfolded, with the central panel serving as a cover display. The animations label the device as "Multifold 7," though it is speculated to be called the "Galaxy G Fold."

An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.

The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.

While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.

A California jury has ordered Google to pay $314.6 million to Android smartphone users in the state after finding the company liable for collecting data from idle devices without permission.

The San Jose jury ruled Tuesday that Google sent and received information from phones while idle, creating "mandatory and unavoidable burdens shouldered by Android device users for Google's benefit." The 2019 class action represented an estimated 14 million Californians who argued Google consumed their cellular data for targeted advertising purposes.

An anonymous reader shared this report from the tech news site The Register: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week published guidance urging software developers to adopt memory-safe programming languages. "The importance of memory safety cannot be overstated," the inter-agency report says...

The CISA/NSA report revisits the rationale for greater memory safety and the government's calls to adopt memory-safe languages (MSLs) while also acknowledging the reality that not every agency can change horses mid-stream. "A balanced approach acknowledges that MSLs are not a panacea and that transitioning involves significant challenges, particularly for organizations with large existing codebases or mission-critical systems," the report says. "However, several benefits, such as increased reliability, reduced attack surface, and decreased long-term costs, make a strong case for MSL adoption."

The report cites how Google by 2024 managed to reduce memory safety vulnerabilities in Android to 24 percent of the total. It goes on to provide an overview of the various benefits of adopting MSLs and discusses adoption challenges. And it urges the tech industry to promote memory safety by, for example, advertising jobs that require MSL expertise.

It also cites various government projects to accelerate the transition to MSLs, such as the Defense Advanced Research Projects Agency (DARPA) Translating All C to Rust (TRACTOR) program, which aspires to develop an automated method to translate C code to Rust. A recent effort along these lines, dubbed Omniglot, has been proposed by researchers at Princeton, UC Berkeley, and UC San Diego. It provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface....

"Memory vulnerabilities pose serious risks to national security and critical infrastructure," the report concludes. "MSLs offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability."
"Adopting memory-safe languages can accelerate modern software development and enhance security by eliminating these vulnerabilities at their root," the report concludes, calling the idea "an investment in a secure software future."

"By defining memory safety roadmaps and leading the adoption of best practices, organizations can significantly improve software resilience and help ensure a safer digital landscape."

Android 16 will include a new security feature that warns users when their phones connect to fake cell towers designed for surveillance. The "network notification" setting alerts users when devices connect to unencrypted networks or when networks request phone identifiers, helping protect against "stingray" devices that mimic legitimate cell towers to collect data and force phones onto insecure communication protocols.

Apple's Swift programming language is expanding official support to Android through a new "Android Working Group" which will improve compatibility, integration, and tooling. "As it stands today, Android apps are generally coded in Kotlin, but Apple is looking to provide its Swift coding language as an alternative," notes 9to5Google. "Apple first launched its coding language back in 2014 with its own platforms in mind, but currently also supports Windows and Linux officially." From the report: A few of the key pillars the Working Group will look to accomplish include:

- Improve and maintain Android support for the official Swift distribution, eliminating the need for out-of-tree or downstream patches
- Recommend enhancements to core Swift packages such as Foundation and Dispatch to work better with Android idioms
- Work with the Platform Steering Group to officially define platform support levels generally, and then work towards achieving official support of a particular level for Android
- Determine the range of supported Android API levels and architectures for Swift integration
- Develop continuous integration for the Swift project that includes Android testing in pull request checks.
- Identify and recommend best practices for bridging between Swift and Android's Java SDK and packaging Swift libraries with Android apps
- Develop support for debugging Swift applications on Android
- Advise and assist with adding support for Android to various community Swift packages

Google is bringing its AI Overviews-like feature to YouTube in the form of an "AI-powered search results carousel." The Verge reports: As shown in a video, the search results carousel will show a big video clip up top, thumbnails to a selection of other relevant video clips directly under that, and an AI-generated bit of text responding to your query. To see a full video, tap on the big clip at the top of the carousel.

The feature is currently only accessible on iOS and Android and for videos in English and will be available to test until July 30th, per the YouTube experiments page. Additionally, only a "randomly selected number of Premium members" will have access to it, YouTube says in a support document.

Psylo, a new privacy-focused iOS browser by Mysk, aims to defeat digital fingerprinting by isolating each browser tab with its own IP address, unique fingerprinting defenses, and proxy-based encryption. "Psylo stands out as it is the only WebKit-based iOS browser that truly isolates tabs," Tommy Mysk told The Register. "It's not only about separate storage and cookies. Psylo goes beyond that."

"This is why we call tabs 'silos.' It applies unique anti-fingerprinting measures per silo, such as canvas randomization. This way two Psylo tabs opening the same website would appear as though they originated on two different devices to the opened website." From the report: The company claims Psylo therefore offers better privacy than a VPN because the virtual networks mask the user's IP address but generally don't alter the data used for fingerprinting. Psylo, for example, will adjust the browser's time zone and browser language to match the geolocation of each proxy, resulting in more entropy that means fingerprints created by gathering data from silos will appear to be different.

The Mysk devs' post states that some privacy-focused browsers like Brave also implement anti-fingerprinting measures like canvas randomization, but those are more effective on the desktop macOS app due to Apple's iOS restrictions. They claim that they were able to achieve better results on iOS by using a client-side JavaScript solution. Mysk designed Psylo to minimize the information available to its maker. It doesn't log personally identifiable information or browsing data that the curious could use to identify the user, the company claims, noting that it also doesn't have customer payment information, which is handled by Apple. There are no user accounts, only randomized identifiers to indicate active subscriptions. According to Tommy Mysk, the only subscriber data kept is bandwidth usage, which is necessary to prevent abuse.

"We aggregate bandwidth usage based on a randomly generated ID that is created when a subscription is made," Mysk said. "The randomly generated ID is associated with the Apple subscription transaction. Apple doesn't share the identity of users making App Store purchases with developers." Asked whether Apple could identify users, Mysk said, "Theoretically and given a court order, Apple can figure out the randomly generated ID of the user in question. If we were to hand out the data associated with the randomly generated ID, it would only be the bandwidth usage of that user in the current month, and two months in the past. Older data is automatically deleted. "We don't associate any identifiable information with the randomly generated ID. We don't store IP addresses at all in every component of our system. We don't store websites visited by our users at all." The browser is only available on iOS and iPadOS, but Mysk says an Android version could be developed if there's enough interest. It costs $9.99 per month or $99 per year in the U.S.

Google has begun rolling out a feature that allows Chrome users on Android to move the browser's address bar to the bottom of the screen. This capability has been available to iOS Chrome users since 2023 and aims to improve accessibility for users with larger devices.

Users can relocate the address bar by pressing and holding on it and selecting the move option, or by adjusting the setting through Chrome's settings menu. The feature addresses usability concerns for users of phones with bigger screens, where reaching the top of the display can prove difficult during one-handed operation.

Facebook now supports passkeys for login, offering users a more secure, phishing-resistant alternative to passwords by using biometrics or a PIN stored on their device. The feature is rolling out to iOS and Android "soon," while Messenger will get the feature "in the coming months." Lifehacker reports: Meta seems pretty excited about the news -- and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.