Android plans to improve security update speed this year

Google has spent the past year working with third-party manufacturers and phone carriers to improve its update system for Android, which is often criticized for not being fast enough to protect users from known vulnerabilities. And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from more than 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.

“There is still a lot of work to do to protect all Android users: about half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Android security leads Adrian Ludwig and Melinda Miller wrote in a year-in-review post. Android issued monthly security updates during that time frame.

When phone makers discover vulnerabilities in their products — either through external reports from security researchers or through internal audits — it kicks off a race to patch the problem before it’s widely exploited. But in the Android ecosystem, which includes hundreds of carriers and manufacturers, pushing those updates out to every user is a complex process.

While Google-manufactured Pixel and Nexus phones and tablets receive automatic updates, hundreds of manufacturers that run Android on their devices don’t push security updates to their customers immediately. This practice can leave customers waiting for months to get updates, and their devices are vulnerable in the meantime.

Ludwig told TechCrunch that Google has been able to cut the wait time for security updates from six to nine weeks down to just a few days by working with carriers and manufacturers. “In North America, just over 78 percent of flagship devices were current with the security update at the end of 2016,” he explained. “It’s a good number in terms of the progress that it represents. We think we can do better.”

Sharing Google’s data on update speed with carriers and manufacturers is crucial in convincing them to issue quicker security updates. “It’s not about convincing them that it’s important — they already believe that — it’s providing visibility into the specific status, which often they don’t have,” Ludwig said. “Because the ecosystem has so many parties, everyone knew the update rate was low but they thought it was caused by someone else. Providing the information allowed them to take action.”

Carriers are starting to view security updates differently than feature updates, and are getting them into consumers’ hands more quickly, while manufacturers are also restructuring the way they release updates to devices. Google is also contributing to the process by shrinking the size of updates to ensure a faster download and by removing requirements for users to approve every update.

Updates aside, Android has made stronger progress in eliminating what it calls “potentially harmful apps” that sneak Trojans, phishing scams and hostile downloaders onto customers’ phones. Google automatically scans apps in the Play store for harmful content, performing “750 million daily checks in 2016, up from 450 million the previous year,” according to the year-end report.

The increase in daily scans has led to dramatic decreases in the percentage of harmful apps downloaded from Play:

 Installs of PHAs from Google Play decreased in nearly every category:

● Now 0.016% of installs, installed trojans dropped by 51.5% compared to 2015.

● Now 0.003% of installs, hostile downloaders dropped by 54.6% compared to 2015.

● Now 0.003% of installs, Backdoors dropped by 30.5%, compared to 2015.

● Now 0.0018% of installs, phishing apps dropped by 73.4% compared to 2015.

Despite this progress, Ludwig and Miller said that overall installations of potentially harmful apps rose in 2016. “While only 0.71% of all Android devices had Potentially Harmful Applications (PHAs) installed at the end of 2016, that was a slight increase from about 0.5% in the beginning of 2015,” they wrote, adding that they hope to cut that number this year using new tools developed in 2016.

Android also made encryption improvements in its latest operating system, Nougat, and improved sandboxing for audio and video files.

New App Turns Android Smartphones Into Earthquake Detectors

New App Turns Android Smartphones Into Earthquake Detectors

Researchers have developed an app that can turn smartphones into a worldwide seismic network that could eventually warn users of impending jolts from a nearby earthquake.

With the help of a smartphone’s accelerometer – the motion-detection instrument – the app, called MyShake taps a phone’s ability to record ground shaking from an earthquake.

The android app, which can be downloaded from Google Play Store, runs in the background with little power, so that a phone’s onboard accelerometers can record local shaking any time of the day or night.

For now, the app only collects information from the accelerometers, analyses it and, if it fits the vibrational profile of a quake, relays it and the phone’s GPS coordinates to the Berkeley Seismological Laboratory at the University of California, Berkeley, for analysis.

However, once enough people are using it, the seismologists plan to use the data to warn people miles from ground zero that shaking is rumbling their way.

“MyShake cannot replace traditional seismic networks like those run by the US Geological Survey, UC Berkeley, the University of Washington and Caltech, but we think MyShake can make earthquake early warning faster and more accurate in areas that have a traditional seismic network, and can provide life-saving early warning in countries that have no seismic network,” said the leader of the app projectRichard Allen from the University of California, Berkeley.

A crowd-sourced seismic network may be the only option today for many earthquake-prone developing countries, such as Nepal or Peru, that have a sparse or no ground-based seismic network or early warning system, but do have millions of smartphone users.

“In my opinion, this is cutting-edge research that will transform seismology,” UC Berkeley graduate student Qingkai Kong, who developed the algorithm at the heart of the app, said.

Smartphones can easily measure movement caused by a quake because they have three built-in accelerometers designed to sense the orientation of the phone for display or gaming.

While constantly improving in sensitivity for the benefit of gamers, however, smartphone accelerometers are far less sensitive than in-ground seismometers.

But they are sensitive enough to record earthquakes above a magnitude 5 — the ones that do damage — within 10 kilometres.

And what these accelerometers lack in sensitivity, they make up for in ubiquity. There are an estimated one billion smartphones worldwide, the researchers said.

In a paper published in the journal Science Advances, the researchers described the algorithm in the mobile app that analyses a phone’s accelerometer data and distinguishes earthquake shaking from normal vibrations, such as walking, dancing or dropping the phone.

In simulated tests, the algorithm that the researchers developed successfully distinguished quakes from non-quakes 93 percent of the time.

New Android Malware Steals Banking Information, Wipes Out Data

New Android Malware Steals Banking Information, Wipes Out Data: Report

There’s a new Android malware in town in the form of a Trojan, and much like many that came before it, it also wants to steal your banking information and wipe out all data from your smartphone and tablet. It’s called Mazar Bot, and it has already become a talking point among researchers, who are now actively warning about this Trojan.

Mazar Bot allows an attacker to spy on nearly every activity taking place on the victim’s Androidsmartphone or tablet. The attacker could potentially also plant a backdoor connection on the compromised device. Talking about how sophisticated Mazar Bot is, it is able to read through text messages on the victim’s device. This enables it to bypass the two-factor authentication, as it can glean a verification code from the compromised handset.

Researchers at Heimdal Security said that the Mazar Bot is largely being spread through SMS and MMS messages. When a victim opens the apk (installation file) on their device, the malware is able to root the device, and gain access to the admin privileges. It also installs the Polipo HTTP proxy, exposing the victim to man-in-the-middle (MiTM) attacks. It can also delete everything from the device.

Another interesting thing is the way it entices users to click on the link. To avoid getting caught, the apk first installs Tor – from official channels – on the device, and then sends all the data it steals and other communications over a protected and anonymous network. And rightly so, VirusTotal, a service that utilises dozens of antivirus and anti-malware services to detect malicious codes, reports that only three of the 54 security suites are able to detect Mazar Bot.

Heimdal Security researchers noted that for some reason, Mazar Bot doesn’t install itself on Android devices with the Russian language selected. “Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user,” the researchers wrote in a blog post. The researchers added that the Mazar Bot is capable of injecting itself into Chrome, control the phone’s keys, enable sleep mode, and save actions in the phone’s settings.

Mazar Bot was first spotted on a Russian hacker forum late last year. It was previously being sold on the Dark Web, but researchers believe that the malware is now being sold more actively and openly.

In light of the Mazar Bot malware, researchers advise Android device users to never click on links in SMS or MMS messages; turn of Unknown Sources in Settings>Security; install a good antivirus app; do not connect to unknown and unsecured Wi-Fi connections; keep your Wi-Fi off when not using it, and install a VPN and use constantly.

Instagram’s Multiple Account Support Brings Privacy Bug to Android

Instagram's Multiple Account Support Brings Privacy Bug to Android

Instagram last week began the rollout of multiple account support, which it has been testing since November last year. The feature is now said to face a major bug, one that lets people access other user’s Instagram notifications. The bug is restricted to the Android app only for now.

It is said that if two users are for instance accessing account A and B, and account B and C respectively (account B is the shared account), the bug lets both users view notifications from each other’s personal accounts (account A and account C) as well.

As spotted by Android Central, users receive notifications meant for the shared account holder, but they often lead to nothing when tapped and they are directed to their own account page instead. However, the notification alert itself reveals the name of the commenters and the post they are commenting on. Sometimes viewing a snippet of the comment is also possible from the notification alerts. What’s worse is that the notifications from the other account holder’s direct messages are also pushed, including an excerpt from the message.

However, Instagram has confirmed the bug and is reportedly working on a fix, which might be rolled out in the next update. For now, the best solution might be to remove the shared account from the application and just access the personal account until Instagram resolves the issue.

Instagram last week introduced the multiple accounts feature for both Android and iOS. The feature comes as a part of the app v7.15. The iOS app users have not faced such bug as of yet.

The photo-sharing service in December announced that its user base in India doubled over the last year. Instagram passed the 400 million user mark in September and had also claimed that it had over 80 million pictures shared daily.