android – Page 2

Android apps are blocking sideloading and forcing Google Play versions instead

android, apks, Google, Google Play Store, play integrity api, safetynet attestation, sideloading, Tech / Kris Guyer / September 11, 2024

Only way in now is through the roof —

“Select Play Partners” can block unofficial installation of their apps.

Kevin Purdy – Sep 11, 2024 9: 31 pm UTC

Image from an Android phone, suggesting user — Enlarge / It’s never explained what this collection of app icons quite represents. A disorganized app you tossed together by sideloading? A face that’s frowning because it’s rolling down a bar held up by app icons? It’s weird, but not quite evocative.

You might sideload an Android app, or manually install its APK package, if you’re using a custom version of Android that doesn’t include Google’s Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.

This quiet standstill is being shaken up by a new feature in Google’s Play Integrity API. As reported by Android Authority, developer tools to push “remediation” dialogs during sideloading debuted at Google’s I/O conference in May, have begun showing up on users’ phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported “Get this app from Play” prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.

Google’s Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an “integrity verdict,” relaying if the phone has a “trustworthy” software environment, has Google Play Protect enabled, and passes other software checks.

Graphene has questioned the veracity of Google’s Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.

“Unknown distribution channels” blocked

Google’s developer video about “Automatic integrity protection” (at the 12-minute, 24-second mark on YouTube) notes that “select” apps have access to automatic protection. This adds an automatic checking tool to your app and the “strongest version of Google Play’s anti-tamper protection.” “If users get your protected app from an unknown distribution channel,” a slide in the presentation reads, “they’ll be prompted to get it from Google Play,” available to “select Play Partners.”

Last year, Google introduced malware scanning of sideloaded apps at install time. Google and Apple have come out against legislation that would broaden sideloading rights for smartphone owners, citing security and reliability concerns. European regulators forced Apple earlier this year to allow for sideloading apps and app stores, though with fees and geographical restrictions in place.

Android apps are blocking sideloading and forcing Google Play versions instead Read More »

Balatro arrives on phones Sept. 26, so plan your “sick” days accordingly

android, balatro, gaming, iOS, localthunk, mobile games, roguelike deckbuilders / Mike M. / September 5, 2024

The joker is on you —

It has already sold 2 million copies. Now the fun gets even more multiplied.

Kevin Purdy – Sep 5, 2024 5: 38 pm UTC

LocalThunk, the pseudonymous lead developer of the surprise smash hit deckbuilding/roguelike/poker-math-simulation game Balatro, has long given the impression that he understands that his game, having sold 2 million copies, might be a little too good.

To that end, LocalThunk has made the game specifically not about actual gambling, or microtransactions, or anything of the kind. Shortly after it arrived in February 2024 (but after it already got its hooks into one of us), some storefronts removed or re-rated the game on concerns about its cards and chips themes, causing him to explain his line between random number generation (RNG), risk/reward mechanics, and actual gambling. He literally wrote it into his will that the game cannot be used in any kind of gambling or casino property.

So LocalThunk has done everything he can to ensure Balatro won’t waste people’s money. Time, though? If you’re a Balatro fan already, or more of a mobile gamer than a console or computer player, your time is in danger.

Balatro is coming to iOS, both in the Apple Arcade subscription and as a stand-alone title, and the Google Play Store on September 26. The pitch-perfect reveal trailer slowly ratchets up the procrastinatory terror, with the word “MOBILE” punctuating scenes of gameplay, traditional businessmen crying, “Jimbo Stonks” rising upward (Jimbo being the moniker of Balatro’s joker), and a world laid to waste by people chasing ever-more-elusive joker combos.

Please note in the trailer, at the 36-second mark, the “Trailer Ideas” for Balatro on Mobile, including “Announcing Balatro is now a Soulslike,” “Romanceable Jimbo Reveal,” and “It’s like that apocalypse movie with the meteor but instead Jimbo is in the sky.”

Even more Balatro content is coming

The mobile version of Balatro is one of three updates LocalThunk has planned for 2025. A gameplay update is still due to arrive sometime this year, one that will be completely free for game owners. It won’t feel like a different game, or even a 1.5 version, LocalThunk told Polygon last month, but “extending that vision to, I think, its logical bounds instead of shifting directions … [M]ore about filling out the design space that currently exists, and then extending that design space in interesting directions that I think people are going to love.”

What else is coming? Perhaps “Friends of Jimbo,” teased today on Balatro’s X (formerly Twitter) account, tells us something. Notably, LocalThunk says that he developed the mobile ports himself.

As we noted in our attempt to explain the ongoing popularity of roguelike deckbuilders, Balatro is LocalThunk’s first properly released game. He claims to have not played any such games before making Balatro but was fascinated by streams of Luck Be a Landlord, a game about “using a slot machine to earn rent money and defeat capitalism.” That game, plus influences of Cantonese game Big Two and the basics of poker (another game LocalThunk says he didn’t actually play), brought about the time-melting game as we know it.

Balatro, in turn, took off with streamers, who would break the game with seeds, hit scores of 30 quintillion, or just keep coming back with everything they’ve learned.

A number of Ars writers have kept coming back to Balatro, time and again, since its release. It’s such a compelling game, especially for its indie-scale price, that none of us could really think of a way to write a stand-alone “review” of it. With its imminent arrival on iPhones, iPads, and Android devices, we’re due to re-educate ourselves on how much time is really in each day and which kinds of achievements our families and communities need to see from us.

Maybe the game won’t sync across platforms, and the impedance of having to start all over will be enough to prevent notable devolution. Maybe.

Balatro arrives on phones Sept. 26, so plan your “sick” days accordingly Read More »

Novel technique allows malicious apps to escape iOS and Android guardrails

android, Biz & IT, iOS, malicious apps, malware, phishing, Security / Kris Guyer / August 21, 2024

NOW YOU KNOW —

Web-based apps escape iOS “Walled Garden” and Android side-loading protections.

Dan Goodin – Aug 21, 2024 8: 40 pm UTC

An image illustrating a phone infected with malware — Getty Images

Phishers are using a novel technique to trick iOS and Android users into installing malicious apps that bypass safety guardrails built by both Apple and Google to prevent unauthorized apps.

Both mobile operating systems employ mechanisms designed to help users steer clear of apps that steal their personal information, passwords, or other sensitive data. iOS bars the installation of all apps other than those available in its App Store, an approach widely known as the Walled Garden. Android, meanwhile, is set by default to allow only apps available in Google Play. Sideloading—or the installation of apps from other markets—must be manually allowed, something Google warns against.

When native apps aren’t

Phishing campaigns making the rounds over the past nine months are using previously unseen ways to workaround these protections. The objective is to trick targets into installing a malicious app that masquerades as an official one from the targets’ bank. Once installed, the malicious app steals account credentials and sends them to the attacker in real time over Telegram.

“This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation,” Jakub Osmani, an analyst with security firm ESET, wrote Tuesday. “For iOS users, such an action might break any ‘walled garden’ assumptions about security. On Android, this could result in the silent installation of a special kind of APK, which on further inspection even appears to be installed from the Google Play store.”

The novel method involves enticing targets to install a special type of app known as a Progressive Web App. These apps rely solely on Web standards to render functionalities that have the feel and behavior of a native app, without the restrictions that come with them. The reliance on Web standards means PWAs, as they’re abbreviated, will in theory work on any platform running a standards-compliant browser, making them work equally well on iOS and Android. Once installed, users can add PWAs to their home screen, giving them a striking similarity to native apps.

While PWAs can apply to both iOS and Android, Osmani’s post uses PWA to apply to iOS apps and WebAPK to Android apps.

Enlarge / Installed phishing PWA (left) and real banking app (right).

ESET

Enlarge / Comparison between an installed phishing WebAPK (left) and real banking app (right).

ESET

The attack begins with a message sent either by text message, automated call, or through a malicious ad on Facebook or Instagram. When targets click on the link in the scam message, they open a page that looks similar to the App Store or Google Play.

Example of a malicious advertisement used in these campaigns.

ESET

Phishing landing page imitating Google Play.

ESET

ESET’s Osmani continued:

From here victims are asked to install a “new version” of the banking application; an example of this can be seen in Figure 2. Depending on the campaign, clicking on the install/update button launches the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (for Android users only), or as a PWA for iOS and Android users (if the campaign is not WebAPK based). This crucial installation step bypasses traditional browser warnings of “installing unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers.

Example copycat installation page.

ESET

The process is a little different for iOS users, as an animated pop-up instructs victims how to add the phishing PWA to their home screen (see Figure 3). The pop-up copies the look of native iOS prompts. In the end, even iOS users are not warned about adding a potentially harmful app to their phone.

Figure 3 iOS pop-up instructions after clicking “Install” (credit: Michal Bláha)

ESET

After installation, victims are prompted to submit their Internet banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers.

The technique is made all the more effective because application information associated with the WebAPKs will show they were installed from Google Play and have been assigned no system privileges.

WebAPK info menu—notice the “No Permissions” at the top and “App details in store” section at the bottom.

ESET

So far, ESET is aware of the technique being used against customers of banks mostly in Czechia and less so in Hungary and Georgia. The attacks used two distinct command-and-control infrastructures, an indication that two different threat groups are using the technique.

“We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones,” Osmani said.

Novel technique allows malicious apps to escape iOS and Android guardrails Read More »

Nova Launcher, savior of cruft-filled Android phones, is on life support

android, android customization, android launchers, app metrics, branch, nova launcher, Tech / Paul Patrick / August 9, 2024

A setup that’s a bit too minimalist —

Nova Launcher feels the “massive” layoffs at the firm that acquired it in 2022.

Kevin Purdy – Aug 9, 2024 6: 20 pm UTC

Nova Launcher

Back in July 2022, when mobile app metrics firm Branch acquired the popular and well-regarded Nova Launcher for Android, the app’s site put up one of those self-directed FAQ posts about it. Under the question heading “What does Branch want with Nova?,” Nova founder and creator Kevin Barry started his response with, “Not to mess it up, don’t worry!”

Branch (formerly/sometimes Branch Metrics) is a firm concerned with helping businesses track the links that lead into their apps, whether from SMS, email, marketing, or inside other apps. Nova, with its Sesame Search tool that helped users find and access deeper links—like heading straight to calling a car, rather than just opening a rideshare app—seemed like a reasonable fit.

Barry wrote that he had received a number of acquisition offers over the years, but he didn’t want to be swallowed by a giant corporation, an OEM, or a volatile startup. “Branch is different,” he wrote then, because they wanted to add staff to Nova, keep it available to the public, and mostly leave it alone.

Two years later, Branch has left Nova Launcher a bit too alone. As documented on Nova’s official X (formerly Twitter) account, and transcripts from its Discord, as of Thursday Nova had “gone from a team of around a dozen people” to just Barry, the founder, working alone. The Nova cuts were part of “a massive layoff” of purportedly more than 100 people across all of Branch, according to now-former Nova workers.

Barry wrote that he would keep working on Nova, “However I have less resources.” He would need to “cut scope” on an upcoming Nova release, he wrote. Other employees noted that customer support, marketing, and even correspondence would likely be strained or disappear.

Ars has reached out to Branch for comment and will update this post with response.

Some of the icon customization options, shown here on a tablet, inside Nova Launcher.

Nova Launcher

Custom, clean Android home screens

It’s hard to tell if Nova would have been better off without ever having been inside Branch, or if it might have inevitably run into the vexing question of how to get people to continually pay for an Android utility. But for Nova to be endangered, or at least heavily constrained, is a sad state for a very useful tool.

Installing a launcher on Android allows you to ignore whatever home screen, app tray, and search bars your phone came with and design your own. Nova Launcher allowed people to change how many icons showed up on their screen, and how big. It allowed for hiding default apps that could not be uninstalled. It was, and still is, one of the best ways to save your phone of bad skins, cruddy OEM software, and stuff for which you never asked.

In more than a dozen Ars reviews of Android devices touting organization concepts that people might not like—including Google’s own Pixels—Nova Launcher was recommended (minus one weird Razer/Nextbit phone that came with it by default). In his Pixel 7 Pro review, Ron Amadeo spells out one such way Nova saved the day:

The worst part of the Pixel software package is the home screen launcher, the primary interface of the phone, which is not nearly configurable enough. All I’m asking for is two things. First, I’d like many more icon grid size adjustments—the default 4×4 grid was fine when we were using 3.2-inch, 480p displays, but I now run a 7×5 grid in Nova launcher, and the Pixel launcher looks ridiculous. Second, I want to remove Google’s useless “At a Glance” widget, which takes up an incredible four icon slots to show the date and current outdoor temperature.

For the more than a decade that I used (and sometimes reviewed) Android phones, I maintained an exported Nova configuration file that I brought from phone to phone. I could experiment with theming, icon packs, and custom widgets (complete with deep links into app actions), but what that export really did was allow me to feel comfortable tinkering and messing with layout ideas. I could always go back to my rock-solid, no-nonsense layout of apps, spaced just how I liked them.

While Nova is not dead (despite mine and others‘ eulogistic tones), it’s certainly not positioned to launch bold new features or plot new futures. Here’s hoping Barry can make a go of Nova Launcher for as long as it’s viable for him.

Nova Launcher, savior of cruft-filled Android phones, is on life support Read More »

All the possible ways to destroy Google’s monopoly in search

android, antitrust, Antitrust law, Apple, Bing, chrome, department of justice, duckduckgo, Features, Google, google monopoly, microsoft, mozilla, online search, online search industry, Policy, samsung / Paul Patrick / August 7, 2024

After US District Judge Amit Mehta ruled that Google has a monopoly in two markets—general search services and general text advertising—everybody is wondering how Google might be forced to change its search business.

Specifically, the judge ruled that Google’s exclusive deals with browser and device developers secured Google’s monopoly. These so-called default agreements funneled the majority of online searches to Google search engine result pages (SERPs), where results could be found among text ads that have long generated the bulk of Google’s revenue.

At trial, Mehta’s ruling noted, it was estimated that if Google lost its most important default deal with Apple, Google “would lose around 65 percent of its revenue, even assuming that it could retain some users without the Safari default.”

Experts told Ars that disrupting these default deals is the most obvious remedy that the US Department of Justice will seek to restore competition in online search. Other remedies that may be sought range from least painful for Google (mandating choice screens in browsers and devices) to most painful (requiring Google to divest from either Chrome or Android, where it was found to be self-preferencing).

But the remedies phase of litigation may have to wait until after Google’s appeal, which experts said could take years to litigate before any remedies are ever proposed in court. Whether Google could be successful in appealing the ruling is currently being debated, with anti-monopoly advocates backing Mehta’s ruling as “rock solid” and critics suggesting that the ruling’s fresh takes on antitrust law are open to attack.

Google declined Ars’ request to comment on appropriate remedies or its plan to appeal.

Previously, Google’s president of global affairs, Kent Walker, confirmed in a statement that the tech giant would be appealing the ruling because the court found that “Google is ‘the industry’s highest quality search engine, which has earned Google the trust of hundreds of millions of daily users,’ that Google ‘has long been the best search engine, particularly on mobile devices,’ ‘has continued to innovate in search,’ and that ‘Apple and Mozilla occasionally assess Google’s search quality relative to its rivals and find Google’s to be superior.'”

“Given this, and that people are increasingly looking for information in more and more ways, we plan to appeal,” Walker said. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”

But Mehta found that Google was wielding its outsize influence in the search industry to block rivals from competing by locking browsers and devices into agreements ensuring that all searches went to Google SERPs. None of the pro-competitive benefits that Google claimed justified the exclusive deals persuaded Mehta, who ruled that “importantly,” Google “exercised its monopoly power by charging supra-competitive prices for general search text ads”—and thus earned “monopoly profits.”

While experts think the appeal process will delay litigation on remedies, Google seems to think that Mehta may rule on potential remedies before Google can proceed with its appeal. Walker told Google employees that a ruling on remedies may arrive in the next few months, The Wall Street Journal reported. Ars will continue monitoring for updates on this timeline.

As the DOJ’s case against Google’s search business has dragged on, reports have long suggested that a loss for Google could change the way that nearly the entire world searches the Internet.

Adam Epstein—the president and co-CEO of adMarketplace, which bills itself as “the largest consumer search technology company outside of Google and Bing”—told Ars that innovations in search could result in a broader landscape of more dynamic search experiences that draw from sources beyond Google and allow searchers to skip Google’s SERPs entirely. If that happens, the coming years could make Google’s ubiquitous search experience today a distant memory.

“By the end of this decade, going to a search engine results page will seem quaint,” Epstein predicted. “The court’s decision sets the stage for a remedy that will dramatically improve the search experience for everyone connected to the web. The era of innovation in search is just around the corner.”

The DOJ has not meaningfully discussed potential remedies it will seek, but Jonathan Kanter, assistant attorney general of the Justice Department’s antitrust division, celebrated the ruling.

“This landmark decision holds Google accountable,” Kanter said. “It paves the path for innovation for generations to come and protects access to information for all Americans.”

All the possible ways to destroy Google’s monopoly in search Read More »

Loss of popular 2FA tool puts security-minded GrapheneOS in a paradox

2fa, android, Authy, Google, google play services, grapheneos, lineageos, ROMs, Tech, two-factor authentication / Rejus Almole / July 30, 2024

Just a bit too custom for their taste —

Losing access to Authy leads to another reckoning with Google’s security model.

Kevin Purdy – Jul 30, 2024 4: 36 pm UTC

Scientist looking at a molecular model of graphene in a laboratory — Enlarge / Graphene is a remarkable allotrope, deserving of further study. GrapheneOS is a remarkable ROM, one that Google does not quite know how to accommodate, due to its “tiny, tiny” user numbers compared to mainstream Android.

“If it’s not an official OS, we have to assume it’s bad.”

That’s how Shawn Wilden, the tech lead for hardware-backed security in Android, described the current reality of custom Android-based operating systems in response to a real security conundrum. GrapheneOS users discovered recently that Authy, a popular (and generally well-regarded) two-factor authentication manager, will not work on their phones—phones running an OS intended to be more secure and hardened than any standard Android phone.

“We don’t want to punish users of alternative OSes, but there’s really no other option at the moment,” Wilden added before his blunt conclusion. “Play Integrity has absolutely no way to guess whether a given custom OS completely subverts the Android security model.”

Play Integrity, formerly SafetyNet Attestation, essentially allows apps to verify whether an Android device has provided permissions beyond Google’s intended models or has been rooted. Root access is not appealing to the makers of some apps involving banking, payments, competitive games, and copyrighted media.]

There are many reasons beyond cheating and skulduggery that someone might root or modify their Android device. But to prove itself secure, an Android device must contact Google’s servers through an API in Google Play Services and then have its bootloader, ROM signature, and kernel verified. GrapheneOS, like most custom Android ROMs, does not contain a Google Play Services package by default but will let users install a sandboxed version of Play Services if they wish.

Wilden offered some hope for a future in which ROMs could vouch for their non-criminal nature to Google, noting “some discussions with makers of high-quality ROMs” about passing the Compatibility Test Suite, then “establishing some kind of relationship we can use to trust them.” But it’s “a lot of work on both sides, including by lawyers,” Wilden notes. And while his team is happy to help, higher-level support is tough because “modders are such a tiny, tiny fraction of the user base.”

The official GrapheneOS X account was less hopeful. It noted that another custom ROM, LineageOS, disabled verified boot at installation, and “rolls back security in a lot of other ways,” contributing to “a misconception that every alternate OS rolls back security and isn’t production quality.” A typical LineageOS installation, like most custom ROMs, does disable verified boot, though it can be re-enabled, except it’s risky and complicated. GrapheneOS has a page on its site regarding its stance on, and criticisms of, Google’s attestation model for Android.

Ars has reached out to Google, GrapheneOS, and Authy (via owner Twilio) for comment. At the moment, it doesn’t seem like there’s a clear path forward for any party unless one of them is willing to majorly rework what they consider proper security.

Ars is seeking a seasoned senior reporter for all things Google

android, ars, Feature, Google, hiring, jobs at ars, Staff, Tech / Paul Patrick / July 25, 2024

get your ron on —

Got feelings about the future of AI and/or phone bezel width? Come apply!

Ars Staff – Jul 25, 2024 6: 00 pm UTC

A photograph of — Enlarge / If you get hired for this position, you’ll be provided an assistant. It’s this guy. This guy is your assistant. His name is “Googly.”

Google is a company in transformation—but “from what“ and “to what“ are not always clear. To catalog and examine Google’s moves in this new era of generative AI, Ars Technica is hiring a Senior Technology Reporter to focus on Google, AI, Android, and search. While attention to so-called “consumer products” will be important, this role will be more focused on Google’s big moves as a technology and infrastructure company, moves often made to counter perceived threats from companies like OpenAI, Microsoft, and Perplexity. Informed skepticism is the rule around here, so we’re looking for someone with the chops to bring a critical eye to some deep technical and business issues.

As this is a senior role owning an important beat, it is not an entry-level position. We’re looking for someone who can primarily self-direct when it comes to their reporting and someone who is comfortable working remotely within a similarly remote team. We’d also like someone who can bring to the table deep and intelligent analyses on broader Google topics while also hitting smaller daily news stories.

This is a full-time union job with benefits.

All candidates:

Must have prior professional experience in technology journalism
Must be living in and eligible to work in the United States
Should expect to travel two to three times per year for major event coverage
Must be comfortable with fully remote work

The full job description and official details can all be found at the listing on the Condé Careers site. If this sounds like the job for you, please apply!

Ars is seeking a seasoned senior reporter for all things Google Read More »

Google mocks Epic’s proposed reforms to end Android app market monopoly

android, android app marketplace, Android Apps, anticompetitive behavior, Antitrust law, App Store, epic games, epic games store, gaming, Google, Google Play Store, monopoly, Policy / Kris Guyer / April 12, 2024

Epic Games has filed a proposed injunction that would stop Google from restricting third-party app distribution outside Google Play Store on Android devices after proving that Google had an illegal monopoly in markets for Android app distribution.

Epic is suggesting that competition on the Android mobile platform would be opened up if the court orders Google to allow third-party app stores to be distributed for six years in the Google Play Store and blocks Google from entering any agreements with device makers that would stop them from pre-loading third-party app stores. This would benefit both mobile developers and users, Epic argued in a wide-sweeping proposal that would greatly limit Google’s control over the Android app ecosystem.

US District Court Judge James Donato will ultimately decide the terms of the injunction. Google has until May 3 to respond to Epic’s filing.

A Google spokesperson confirmed to Ars that Google still plans to appeal the verdict—even though Google already agreed to a $700 million settlement with consumers and states following Epic’s win.

“Epic’s filing to the US Federal Court shows again that it simply wants the benefits of Google Play without having to pay for it,” Google’s spokesperson said. “We’ll continue to challenge the verdict, as Android is an open mobile platform that faces fierce competition from the Apple App Store, as well as app stores on Android devices, PCs, and gaming consoles.”

If Donato accepts Epic’s proposal, Google would be required to grant equal access to the Android operating system and platform features to all developers, not just developers distributing apps through Google Play. This would allow third-party app stores to become the app update owner, updating any apps downloaded from their stores as seamlessly as Google Play updates apps.

Under Epic’s terms, any app downloaded from anywhere would operate identically to apps downloaded from Google Play, without Google imposing any unnecessary distribution fees. Similarly, developers would be able to provide their own in-app purchasing options and inform users of out-of-app purchasing options, without having to use Google’s APIs or paying Google additional fees.

Notably, Epic filed its lawsuit after Google removed the Epic game Fortnite from the Google Play Store because Epic tried to offer an “Epic Direct Payment” option for in-game purchases.

“Google must also allow developers to communicate directly with their consumers, including linking from their app to a website to make purchases and get deals,” Epic said in a blog post. “Google would be blocked from using sham compliance programs like User Choice Billing to prevent competing payment options inside an app or on a developer’s website.”

Unsurprisingly, Epic’s proposed injunction includes an “anti-retaliation” section specifically aimed at protecting Epic from any further retaliation. If Donato accepts the terms, Google would be violating the injunction order if the tech giant fails to prove that it is not “treating Epic differently than other developers” by making it “disproportionately difficult or costly” for Epic to develop, update, and market its apps on Android.

That part of the injunction would seem important since, last month, Epic announced that an Epic Games Store was “coming to iOS and Android” later this year. According to Inc, Epic told Game Developers Conference attendees that its app-distribution platform will be the “first ever game-focused, multiplatform store,” working across “Android, iOS, PC and macOS.”

Google mocks Epic’s proposed reforms to end Android app market monopoly Read More »

Thousands of phones and routers swept into proxy service, unbeknownst to users

android, anonymous proxy, Biz & IT, botnets, Phones, routers, Security / Paul Patrick / March 26, 2024

ANONYMIZERS ON THE CHEAP —

Two new reports show criminals may be using your device to cover their online tracks.

Dan Goodin – Mar 26, 2024 7: 56 pm UTC

Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon, a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

More stunning than the discovery of more than 40,000 infected small office and home office routers located in 88 countries is the revelation that TheMoon is enrolling the vast majority of the infected devices into Faceless, a service sold on online crime forums for anonymizing illicit activities. The proxy service gained widespread attention last year following this profile by KrebsOnSecurity.

“This global network of compromised SOHO routers gives actors the ability to bypass some standard network-based detection tools—especially those based on geolocation, autonomous system-based blocking, or those that focus on TOR blocking,” Black Lotus researchers wrote Tuesday. They added that “80 percent of Faceless bots are located in the United States, implying that accounts and organizations within the US are primary targets. We suspect the bulk of the criminal activity is likely password spraying and/or data exfiltration, especially toward the financial sector.”

The researchers went on to say that more traditional ways to anonymize illicit online behavior may have fallen out of favor with some criminals. VPNs, for instance, may log user activity despite some service providers’ claims to the contrary. The researchers say that the potential for tampering with the Tor anonymizing browser may also have scared away some users.

The second post came from Satori Intelligence, the research arm of security firm HUMAN. It reported finding 28 apps available in Google Play that, unbeknownst to users, enrolled their devices into a residential proxy network of 190,000 nodes at its peak for anonymizing and obfuscating the Internet traffic of others.

ProxyLib, the name Satori gave to the network, has its roots in Oko VPN, an app that was removed from Play last year after being revealed using infected devices for ad fraud. The 28 apps Satori discovered all copied the Oko VPN code, which made them nodes in the residential proxy service Asock.

The researchers went on to identify a second generation of ProxyLib apps developed through lumiapps[.]io, a software developer kit deploying exactly the same functionality and using the same server infrastructure as Oko VPN. The LumiApps SDK allows developers to integrate their custom code into a library to automate standard processes. It also allows developers to do so without having to create a user account or having to recompile code. Instead they can upload their custom code and then download a new version.

“Satori has observed individuals using the LumiApps toolkit in the wild,” researchers wrote. “Most of the applications we identified between May and October 2023 appear to be modified versions of known legitimate applications, further indicating that users do not necessarily need to have access to the applications’ source code in order to modify them using LumiApps. These apps are largely named as ‘mods’ or indicated as patched versions and shared outside of the Google Play Store.”

The researchers don’t know if the 190,000 nodes comprising Asock at its peak were made up exclusively of infected Android devices or if they included other types of devices compromised through other means. Either way, the number indicates the popularity of anonymous proxies.

People who want to prevent their devices from being drafted into such networks should take a few precautions. The first is to resist the temptation to keep using devices once they’re no longer supported by the manufacturer. Most of the devices swept into TheMoon, for instance, have reached end-of-life status, meaning they no longer receive security updates. It’s also important to install security updates in a timely manner and to disable UPnP unless there’s a good reason for it remaining on and then allowing it only for needed ports. Users of Android devices should install apps sparingly and then only after researching the reputation of both the app and the app maker.

Thousands of phones and routers swept into proxy service, unbeknownst to users Read More »

Apple partly halts Beeper’s iMessage app again, suggesting a long fight ahead

android, Apple, beeper, beeper mini, encrypted chat, Encryption, iMessage, imessages, iOS, IPhone, Tech / Rejus Almole / December 14, 2023

Beeper group chat illustration — Enlarge / The dream of everybody having blue bubbles, and epic photos of perfectly digestible meals, as proffered by Beeper.

Beeper

A friend of mine had been using Beeper’s iMessage-for-Android app, Beeper Mini to keep up on group chats where she was the only Android user. It worked great until last Friday, when it didn’t work at all.

What stung her wasn’t the return to being the Android interloper in the chats again. It wasn’t the resulting lower-quality images, loss of encryption, and strange “Emphasized your message” reaction texts. It was losing messages during the outage and never being entirely certain they had been sent or received. There was a gathering on Saturday, and she had to double-check with a couple people about the details after showing up inadvertently early at the wrong spot.

That kind of grievance is why, after Apple on Wednesday appeared to have blocked what Beeper described as “~5% of Beeper Mini users” from accessing iMessages, both co-founder Eric Migicovksy and the app told users they understood if people wanted out. The app had already suspended its plans to charge customers $1.99 per month, following the first major outage. But this was something more about “how ridiculously annoying this uncertainty is for our users,” Migicovsky posted.

Fighting on two fronts

But Beeper would keep working to ensure access and keep fighting on other fronts. Migicovsky pointed to Epic’s victory at trial against Google’s Play Store (“big tech”) as motivation. “We have a chance. We’re not giving up.” Over the weekend, Migicovsky reposted shows of support from Senators Elizabeth Warren (D-Mass.) and Amy Klobuchar (D-Minn.), who have focused on reigning in and regulating large technology company’s powers.

Apple previously issued a (somewhat uncommon) statement about Beeper’s iMessage access, stating that it “took steps to protect our users by blocking techniques that exploit fake credentials in order to gain access to iMessage.” Citing privacy, security, and spam concerns, Apple stated it would “continue to make updates in the future” to protect users. Migicovsky previously denied to Ars that Beeper used “fake credentials” or in any way made iMessages less secure.

I asked Migicovsky by direct message if, given Apple’s stated plan to continually block it, there could ever be a point at which Beeper’s access was “settled,” or “back up and running,” as he put it in his post on X (formerly Twitter). He wrote that it was up to the press and the community. “If there’s enough pressure on Apple, they will have to quit messing with us.” “Us,” he clarified, meant both Apple’s customers using iMessage and Android users trying to chat securely with iPhone friends.

“That’s who they’re penalizing,” he wrote. “It’s not a Beeper vs. Apple fight, it’s Apple versus customers.”

Apple partly halts Beeper’s iMessage app again, suggesting a long fight ahead Read More »

20 Types of Android Apps You Can Replace With the Google App

android, Android Apps, Android Tips, Google Apps, Google Assistant, Highlights / Rejus Almole / December 7, 2022

internal/modules/cjs/loader.js: 905 throw err; ^ Error: Cannot find module ‘puppeteer’ Require stack: – /home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js at Function.Module._resolveFilename (internal/modules/cjs/loader.js: 902: 15) at Function.Module._load (internal/modules/cjs/loader.js: 746: 27) at Module.require (internal/modules/cjs/loader.js: 974: 19) at require (internal/modules/cjs/helpers.js: 101: 18) at Object. (/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js:2: 19) at Module._compile (internal/modules/cjs/loader.js: 1085: 14) at Object.Module._extensions..js (internal/modules/cjs/loader.js: 1114: 10) at Module.load (internal/modules/cjs/loader.js: 950: 32) at Function.Module._load (internal/modules/cjs/loader.js: 790: 12) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js: 75: 12) code: ‘MODULE_NOT_FOUND’, requireStack: [ ‘/home/760439.cloudwaysapps.com/jxzdkzvxkw/public_html/wp-content/plugins/rss-feed-post-generator-echo/res/puppeteer/puppeteer.js’ ]

20 Types of Android Apps You Can Replace With the Google App Read More »

The Pixel Feature Drop for December Is Out Now. Here’s Everything That’s New

android, Android 13, Android Wear, Google Pixel, Highlights / Paul Patrick / December 6, 2022

The Pixel Feature Drop for December Is Out Now. Here’s Everything That’s New Read More »