The Best of TWiT from 2018!
Host: Leo Laporte
The Best of TWiT from 2018!
Host: Leo Laporte
Microsoft’s new Surface Hub 2. Google Duplex freaks everyone out. GDPR shouldn’t freak people out – unless you work in adtech. Fortnite is coming to Android. Apple caves in to China again, pays some Irish taxes, and goes shopping for a new campus. Washington D.C is full of Stingray spy devices. Yanny or Laurel: depends on your speakers. US Copyright laws may be extended to protect Mickey Mouse for 144 years.
Next week: All the Android you can handle! Google to launch Android O. Essential Phone arrives. Samsung Galaxy Note 8 announcement. Squeeze the Pixel 2. Is “google” the next “escalator”? Jeff Immelt may be Uber’s next CEO. Intel makes Coffee Lake a reality, and hints at the 10nm chip beyond: Ice Lake. The Daily Stormer gets kicked off GoDaddy, Google, Cloudflare, Russia, and more. Katie Roof was not alive for the last total US solar eclipse. Mike Elgan knows the best baker in Barcelona. Matt Cutts is trying to not wear a tie for 30 days.
US Senate votes to end ISP privacy regulations. The “Turkish Crime Family” demand $100,000 in iTunes gift cards for iCloud hack. Android O needs a name. Supreme Court hears printer ink patent case. Tesla Model 3 is on the way. Samsung Galaxy S8’s big announcement is coming this week. US and UK ban electronics bigger than a phone on flights from Middle Eastern countries by Middle Eastern carriers. Google screws up messaging – again.
–Georgia Dow has two VR rooms in her house.
–Rob Reid knows what music aliens like best.
–Nathan Olivarez-Giles wants a car with a naturally aspirated engine.
Does AMD’s Ryzen 7 outperform Intel’s Core i7 CPUs? Raspberry Pi Zero W hands on. Our pics of the latest Android phones from Mobile World Congress, price drops on Oculus Rift, and much more in TWiCH episode 404!
By Michael Kan | PCWorld
A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.
Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post.
Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.
The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.
The newer variants of Fakebank.B, however, will do more than just collect financial login data. They will also monitor whatever phone calls are made.
If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.
So far, this new Trojan has only been detected in Russia and South Korea. Symantec is advising users refrain from downloading apps from less trustworthy sources, like third-party app stores.
The call-barring function shows how banking Trojans are continuing to evolve. Earlier this year, Symantec detected another kind called Android.Bankosy that can bypass voice-based two-factor authentication systems.
To do this, the Trojan will secretly activate call forwarding on the victim’s phone. All calls will then be redirected to the hacker’s own number.
Savvy Android users know that Apple’s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn’t give specifics on how Google would deal with this situation if it were in Apple’s shoes.
That’s because if Syed Rizwan Farook, the San Bernardino shooter, had been using an older Android smartphone, we probably wouldn’t be having this discussion.
Encryption has so far lost out to openness in the Android ecosystem. It’s actually been supported since version 4.0 (KitKat), and the latest iterations of Google’s own Nexus devices have encryption on by default, but the rest of Android has been slower on the uptake, especially internationally.
“Android is different because the entire ecosystem is fragmented,” explained Mike Murray, VP of security research at Lookout. “The version of Android that Samsung installs on their phone is different than the version that Google installs on their phone and it’s way different than the third party aftermarket vendor who’s building low-end phones in India or China.”
It’s those smaller manufacturers making budget devices that have especially stymied Google. They fear that onboarding mandatory encryption will hamper their phones’ performance—for example, lower-end processors can struggle with the encrypt-and-decrypt process. But as standards for processors improve, there’s little reason why encryption could not become the norm when you got a new smartphone.
Google tried again, making encryption mandatory across the board late last year with Android 6.0 Marshmallow. But there’s another flaw in this plan: Only 4.6% of the Android landscape is running Marshmallow (as of this writing), and the compulsory encryption rule applies only to new phones running 6.0, not older phones that have been upgraded (it’s optional in that case). Once again, Android is a patchwork.
On-by-default makes a huge difference in how a person uses a device or an app. Typically, people don’t change the settings much unless they have something specific in mind. By having encryption off by default, a large number of users likely remain unencrypted and oblivious of their vulnerability.
“Every company manufacturing devices that store sensitive data should be using full disk encryption by default,” said Evan Greer, campaign director Fight for the Future, which staged rallies in support of Apple. She added that corporations need to shoulder more of the responsibility in encrypting devices. “We need to build a movement to hold companies accountable and demand that they do everything technologically possible to protect our private information from hackers, and from illegal government surveillance.”
Google’s commitment to privacy is regularly challenged, whether it’s in the company’s expansive use of user data, or more specifically in a Manhattan DA report that claimed Google could remotely access most Android phones.
Android security boss Adrian Ludwig fired back, saying Google cannot access any device protected with a PIN, password, or fingerprint. “Google also does not have any mechanism to facilitate access to devices that have been encrypted,” he said.
But could Ludwig’s claim be put to the test sooner rather than later? We know the San Bernardino case was never about just one iPhone or Apple. As Fight for the Future’s Greer reminds us, it’s about the FBI’s desire to set a “dangerous precedent” that would be felt for years to come. Enabling end-to-end encryption for all users is just one way of ensuring this doesn’t happen.
“Assuming Android improves their security and become harder to hack, it’s not a question of if the US or other governments will try to force them to weaken that security,” said Greer. “It’s a question of when.”
For comprehensive coverage of the Android ecosystem, visit Greenbot.com.
Security researchers found over 20,000 adware samples hiding in apps that masquerade as Facebook, Twitter, Snapchat, and other popular services.
Security researchers have uncovered a new style of Android malware that hides inside of apps that act and look like they’re legitimate services.
Lookout Security described the unsavory practice as “trojanized adware.” Essentially the third-party apps look and function like Google, Facebook, Twitter, WhatsApp, and other popular apps. But once they’re installed, they assign themselves system-level permission and serve up ads throughout the rest of the OS, generating money for the hacker.
It’s a new level of evil genius because the security firm says they’re nearly impossible to uninstall: the best option for those who fall victim is to just ditch out on the device and pick up a new one. The trojanized apps obtain root-level access and install themselves as system apps, so even a factory reset doesn’t get rid of them.
The impact on you: While this may sound dire, it confirms our core piece of security advice: stick to the Google Play Store or Amazon App Store and always install the latest Android OS and Play Services updates. The absolute best option is to pick up a new Nexus device, which Google has pledged will get monthly security updates directly from Mountain View. BlackBerry recently made a similar pledge, with Silent Circle (maker of the Black Phone), and a few others jumping on board. So far, Google has been the most aggressive at sticking to the timeline.
These miscreants are hiding out in third-party app stores and in software downloaded via the web. They still look and work like regular apps, but then release the trojanized adware into your device with nearly limitless access to key data.
In a blog post outlining the threat, Lookout’s Michael Bentley cautioned against rooting one’s phone, a popular activity by those who like to install custom ROMs and tinker with the way their phone works.
“The act of rooting the device in the first place creates additional security risk for enterprises and individuals alike, as other apps can then get root access to the device, giving them unrestricted access to files outside of their domain. Usually applications are not allowed to access the files created by other applications, however with root access, those limitation are easily bypassed,” he said.
The security firm said there are three similar families of the trojanized adware that serve up the ads: Shuanet, Komage, and Shudun. Together, they’re responsible for over 20,000 different samples of malware.
Such an issue could be a particular headache for enterprise, as the apps with root access would then be able to get their hands on sensitive company data.
However, it reaffirms that unless you really know what you’re doing, you should avoid rooting your phone and venturing out to such uncharted waters. And, again, stick to the Google Play Store and Amazon App Store, where software is tested for malware and digitally signed before being made available.
If no one has been able to convince you to take your device’s security seriously, perhaps this hack will do it.
A video uncovered by Ars Technica shows someone able to use the emergency call access to gain entry to a locked phone, even though it’s protected with a password.
The individual in the video types a large string of characters into the call window and copies them to the device’s clipboard. The hacker is then able to open the camera from the locked device, access the options menu, and paste several characters into the password prompt. The phone then unlocks.
The vulnerability was introduced in Android 5.0 and was fixed in the LMY48M Android 5.1.1 build released to Nexus devices (you can always grab it yourself from the Nexus Factory Images page.) However, the vast majority of Android handsets aren’t of the Nexus variety, which means you’re vulnerable to this hack until your device is updates. Fortunately, the attack only works if you use a password to unlock your device; you can use a PIN or pattern unlock to protect yourself. If you use a fingerprint unlock, you would need to have a PIN or pattern as the backup to fully stay secure.
Why this matters: It hasn’t been a great year for Android security, as this minor hack comes after the big scare of Stagefright. It demonstrates that Google and device manufacturers all need to step up their game so everyone can enjoy better security and not worry about a new hack every week.
Google has delivered on its promise to release monthly security updates today, with the first of said updates now rolling out to nearly all Nexus devices released in the past three years.
The updates haven’t been given their own Android version number, with Google instead opting to simply change the build number. The builds in question are ‘LMY48M’ for the Nexus 4, 5, 6, 7, 9, and 10, and ‘LMY48N’ for the Nexus Player, both of which are based on Android 5.1.1.
The update is mostly concerned with addressing memory overflow issues that could potentially lead to exploitation. There’s also a fix for a “moderate severity vulnerability” that allowed apps to bypass SMS short code notifications that informed users when a text message could cost them money.
Stagefright, a collection of dangerous Android vulnerabilities that can now be exploited by attackers, has already been patched in the latest version of Android. Nexus owners shouldn’t have to worry about becoming victim to any Stagefright exploits.
The attention now squarely turns on other Android OEMs to implement these security fixes in their devices. Google has done a pretty decent job of patching devices as old as the Nexus 4 from 2012, but some OEMs have many more models to update, some of which will, unfortunately, be left unpatched.
Samsung and LG have already promised monthly updates for some of their devices, so hopefully we’ll see these two companies release patches for their smartphones in the near future. It’s unclear whether other companies, especially those notoriously slow at releasing software updates (such as Sony), will even patch their devices at all.