A new Android spyware masquerades as a ‘system update’

Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim’s device and steal their data.

The malware was found bundled in an app called “System Update” that had to be installed outside of Google Play, the app store for Android devices. Once installed by the user, the app hides and stealthily exfiltrates data from the victim’s device to the operator’s servers.

Researchers at mobile security firm Zimperium, which discovered the malicious app, said once the victim installs the malicious app, the malware communicates with the operator’s Firebase server, used to remotely control the device.

The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone, and take photos using the phone’s cameras. The malware also tracks the victim’s location, searches for document files, and grabs copied data from the device’s clipboard.

The malware hides from the victim and tries to evade capture by reducing how much network data it consumes by uploading thumbnails to the attacker’s servers rather than the full image. The malware also captures the most up-to-date data, including location and photos.

Zimperium CEO Shridhar Mittal said the malware was likely part of a targeted attack.

“It’s easily the most sophisticated we’ve seen,” said Mittal. “I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”

A screenshot of the malware masquerading as a system update running on an Android phone. The malware can take full control of an affected device. (Image: Zimperium)

Tricking someone into installing a malicious app is a simple but effective way to compromise a victim’s device. It’s why Android devices warn users not to install apps from outside of the app store. But many older devices don’t run the latest apps, forcing users to rely on older versions of their apps from bootleg app stores.

Mittal confirmed that the malicious app was never installed on Google Play. When reached, a Google spokesperson would not comment on what steps the company was taking to prevent the malware from entering the Android app store. Google has seen malicious apps slip through its filters before.

This kind of malware has far-reaching access to a victim’s device comes in a variety of forms and names, but largely does the same thing. In the early days of the internet, remote access trojans, or RATs, let snoops spy on victims through their webcams. Nowadays, child monitoring apps are often repurposed to spy on a person’s spouse, known as stalkerware or spouseware.

Last year, TechCrunch reported on the KidsGuard stalkerware — ostensibly a child monitoring app — that used a similar “system update” to infect victims’ devices.

But the researchers don’t know who made the malware or who it’s targeting.

“We are starting to see an increasing number of RATs on mobile devices. And the level of sophistication seems to be going up, it seems like the bad actors have realized that mobile devices have just as much information on them and are much less protected than the traditional endpoints,” said Mittal.

A ‘stalkerware’ app leaked phone data from thousands of victims

---

Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

from Android – TechCrunch https://ift.tt/3vV3Mii
via IFTTT

European branded payments startup Recharge raises $11.8M debt round led by Kreos Capital

Online branded payments now run the gamut of anything from Spotify vouchers, Netflix vouchers, Neosurf, PaySafe cards, and everything in between. Consumers use them to pay for a variety of things. In Europe, they are an increasingly big business. Now, European branded payments company Recharge.com has raised €10m ($11.8m) in a debt funding round led by London-based Kreos Capital, a growth debt provider for high-growth companies. In 2019 the Dutch fintech Creative Group, which owns the Recharge.com and Rapido.com brands, took investment of €22m from Prime Ventures.

Recharge has also appointed Michael Kent – who previously founded payments companies Small World and Azimo, along with UK neobank Tandem – as its non-executive chairman.

Recharge.com says it plans to use the funding to extend its mobile offering, product range, and expand in regions such as North America, Latin America and the GCC. It’s also aiming for sales of €450m in 2021.

Günther Vogelpoel CEO of Recharge.com said in a statement: “We live in a world of instant wish fulfillment, from taxis that appear on demand to same-day delivery of consumer goods. Recharge.com gives customers a fast, safe and simple way to fulfill their wishes, whether that’s an essential remittance or access to digital goods and services.”

Commenting, Kent said: “The era of supermarket gift cards and mobile top-ups is drawing to a close. Branded payments have exploded during the global lockdown as consumers seek digital alternatives to the high street. People are now aware that online branded payments are safe, fast, and convenient.”

Through a range of digital vouchers from brands including Apple, Google, Spotify, Xbox and PlayStation as well as cross-border remittances of call, data credits etc Recharge is attacking the market from the consumer angle.

The biggest company in this space is Blackhawk networks which is owned by private equity group Silverlake. It’s considered a large player in Europe which has a direct-to-consumer model.

As Kent told me over a Zoom call: “Nobody actually owns the consumer side of this business globally so that’s the big opportunity.”

from Apple – TechCrunch https://ift.tt/39fqSqi

New York’s Department of Financial Services says Apple Card program didn’t violate fair lending laws

The New York State Department of Financial Services (NYDFS) released a report today that cleared the Apple Card credit card program of discriminatory practices and specifically, gender-based discrimination, following an investigation triggered by online complaints back in November 2019. At the time, tech entrepreneur David Heinemeier Hansson had called out Apple Card program, jointly run by Apple and Goldman Sachs, for gender-based discrimination after he received a credit limit that was 20 times higher than what his wife was offered — even though the couple filed joint tax returns and his wife had a higher credit score than he did.

Hansson’s tweet storm detailing the problem ending up going viral, generating responses from several others, including Apple co-founder Steve Wozniak, who claimed they had similar experiences when applying for the Apple Card with their partners.

The @AppleCard is such a fucking sexist program. My wife and I filed joint tax returns, live in a community-property state, and have been married for a long time. Yet Apple’s black box algorithm thinks I deserve 20x the credit limit she does. No appeals work.

— DHH (@dhh) November 7, 2019

We are 10x on the Apple Card credit limit. We have no assets or accounts at all that are separate. Except for this Apple Card that didn't have a joint account. I'm with you.

— Steve Wozniak (@stevewoz) November 10, 2019

David’s wife, Jamie Heinemeier Hansson, had also penned a blog post documenting her experiences in more detail.

The numerous consumer complaints soon drew the attention of the New York Department of Financial Services, which then launched an investigation into Goldman Sachs’ credit card practices in order to see if gender-based discrimination was taking place, as alleged.

The NYDFS report, first spotted today by Appleinsider, notes that Goldman Sachs re-reviewed the credit files of the some of the women who had been initially been offered dramatically lower credit scores than their spouses, and decided to raise their limits to match those of their spouses. At the time, the bank also eliminated the six-month waiting period for appeals on credit decisions.

These actions seemed to indicate that the Apple Card algorithms were making bad calls on credit worthiness, potentially even on the basis of gender; but the Department says that’s not the case — though it did stress the need or credit score reforms and updating existing laws around credit access.

The NYDFS said it reviewed several thousands pages of record and written responses from Apple and Goldman Sachs, interviewed witnesses, met with representatives from Apple and the bank, and analyzed the bank’s underwriting data using a data set covering nearly 400,000 New York applicants. It also interviewed the consumers who had complained of discrimination.

The Department concluded that there was no “unlawful discrimination” against applicants under fair lending law. However, statements made by the Superintendent of Financial Services Linda A. Lacewell, did stress that there is still discrimination built into the credit lending system itself, and the way credit scores can lead to unequal access to credit.

“While we found no fair lending violations, our inquiry stands as a reminder of disparities in access to credit that continue nearly 50 years after the passage of the Equal Credit Opportunity Act (ECOA) ,” Lacewell said. “The report also notes that the use of credit scoring in its current form and laws and regulations barring discrimination in lending are in need of strengthening and modernization to improve access to credit. Consumer frustration with the Apple Card policy of not permitting an account holder to add an authorized user drew attention to the following: a person who relies on a spouse’s access to credit, and only accesses those accounts as an authorized user, may incorrectly believe they have the same credit profile as the spouse. This is one part of a broader discussion we must have about equal credit access,” she added.

One common factor among the consumers who complained was a belief that a spouse who had access to the same shared bank account or other shared assets, like credit cards — even if only as authorized users — would receive the same credit terms as their spouses. But the way the system works today, underwriters don’t have to consider an authorized user the same as an account holder, and they may consider other factors, too. Combined, these are what led to the lower lending decisions, the investigation found.

The Department said that, when asked, Goldman Sachs was able to document underwriting that determined its lending decisions for the consumer complaints. Gender was not a factor, but spouses’ credit scores, indebtedness, income, credit utilization, missed payments and other credit history elements were. None of the factors identified was an “unlawful basis” for a credit determination, the Department said.

Of course, the credit score system itself is one that overall, favors men. (And specifically, white men). There is no one single reason as to why that’s the case, but often has to do with women’s role as a primary caregiver, combined with how the credit scoring model operates. This is a system that needs reform, but as it relates to the Apple Card program and discrimination complaints, it was “lawfully” used to make the Apple Card lending decisions.

However, the Department did point out that there was a lack of transparency around Apple Card’s lending decisions — noting that although it was able to obtain the data about the bank’s decision for these complaints, the impacted consumers could not. It also suggested Apple could have offered a more robust appeals process, instead of requiring a six-month wait.

Apple has since responded to some of the issues raised, including by launching “Path to Apple Card” last year, which helps applicants follow steps that lead to an Apple Card approval. To date, more than 70K consumers have enrolled in this program and nearly 5,000 have been approved. Apple also updated its website with more information about how Apple Card approvals work. And now it’s in the process of adding support for Apple Card family sharing features — meaning, authorized users. This would address issues around spouses not being able to gain access to the higher credit lending limits at least.

But this investigation highlighted the problems Apple faced by pairing its trusted brand with a credit card issued by a traditional lender and the accompanying crummy banking practices consumers hate, as well as how a lack of transparency had undermined trust in the lending decisions that were made.

Apple hasn’t commented on the NYDHS report at this time.

 

 

 

 

from Apple – TechCrunch https://ift.tt/3957mN2

Apple launches the ‘Apple Teacher Portfolio recognition, updates Schoolwork and Classroom apps

Apple this morning announced a handful of education-related updates to its suite of classroom apps as well as a new recognition for teachers, called the Apple Teacher Portfolio. Teachers who complete a total of nine lessons where they learn foundational skills on iPad and Mac to become an officially recognized Apple Teacher will be able to submit their portfolio of lesson examples to earn the Apple Teacher Portfolio recognition. They can then also share their portfolio with their colleagues or use it to showcase their work.

Teachers can work towards acquiring the badge through the Apple Teacher Learning Center, which is Apple’s self-paced learning platform for educators. This offering is designed to help teachers learn how to incorporate Apple technologies in the classroom, including by using iPad and Mac apps for creating art, videos, animations, recordings, page layouts, podcasts, data trackers, music, and more. Across the lessons, Apple provides templates as examples which teachers can customize or combine to make their own projects that use either an iPad or Mac and Apple software like Keynote, GarageBand, iMovie, and others.

Image Credits: Apple

In addition, Apple today rolled out updates across its Schoolwork and Classroom apps, as well as its “Everyone Can Create” curriculum, which has historically focused on taking advantage of Apple’s creative tools like iMovie, Clips and GarageBand.

In Schoolwork, teachers will gain the option to share Schoolwork projects with colleagues by exporting their assignments, which can then be imported back into Schoolwork or other platforms. Other improvements have been made to the sidebar navigation to make it quicker to access classes, assignments and student accounts.

Classroom, meanwhile, has been updated for remote learning — a feature that would have been more useful to have rolled out in 2020, amid the height of U.S. lockdowns during the pandemic. With the update, teachers will be able to invite remote students to Classroom sessions where they’ll be able to guide them to apps, view their screen (with the student’s permission) and track their engagement. The software has also been rebuilt using Mac Catalyst, making it work across iPad and Mac, including Macs powered by Apple’s M1 chips.

The Everyone Can Create” curriculum has had a number of smaller updates. Its Drawing guide has been updated to include motion graphics and animation in Keynote, while Photos now covers the creation of animated GIFs using Keynote, and the Camera and Photos apps. The Video guide will now explore creating short films using a green screen and other special effects, and Music adds new podcasting features using GarageBand, Apple says. Today, more than 5,000 K-12 institutions worldwide are using the curriculum.

Apple last year had updated its Schoolwork and Classroom apps, with some updates to Schoolwork to support distance learning — like managing assignments over the cloud and support for calling students via FaceTime, for example. But even as the pandemic forced schools towards remote learning, Google jumped ahead of edtech rivals by aggressively giving away its software and courting teachers. Its low-cost Chromebooks were being given out across school districts, doubling demand in 2020. Google Classroom, meanwhile, doubled to more than 100 million active users by April 2020, Bloomberg Quint reported. As of Feb. 2021, Google said the service was being used by over 150 million students, teachers and admins, up from just 40 million last year.

Apple didn’t say today how many users it has for its own educational software programs, by comparison. However, by encouraging teachers to create a portfolio which they can then share, Apple is helping to push towards greater adoption of its tools by more directly involving educators in the process.

Apple Teacher Portfolio launched today and is available in the Apple Teacher Learning Center. The “Everyone Can Create guides” are a free download on Apple Books. And new versions of both Schoolwork and Classroom are available in beta now through AppleSeed for IT.

from Apple – TechCrunch https://ift.tt/3cbwrYI

Clubhouse says its Android launch will take ‘a couple of months’

Social audio app Clubhouse has now promised a time frame of sorts for the launch of its anticipated Android version, following its recent hire of an Android software developer last month. In its weekly Townhall event on Sunday, Clubhouse co-founder Paul Davison remarked that the company was working “really hard” to come to Android, but said it’s going to take a “couple of months” to make that happen. That seems to indicate a time frame that’s closer to late spring or summer 2021.

Clubhouse had previously said in a late January blog post that it would begin work on its Android version “soon,” but had not yet promised any sort of time frame as to when it would be able to bring that version to the public. Instead, most of its statements about Android have been vague mentions of the importance of supporting the Android user base and making its app more accessible to a wider audience.

In the meantime, Clubhouse’s biggest rival, Twitter Spaces, has been taking advantage of Clubhouse’s delay to address the sizable Android user base by rapidly rolling out support to more people across platforms. This month, for example, Twitter Spaces opened up to Android users, allowing anyone on Android to join and talk inside its live audio rooms. Shortly thereafter, Twitter said that it plans to publicly launch Twitter Spaces to the general public in April. That would be well ahead of Clubhouse, unless the latter rapidly speeds up development and drops its invite-only status in the weeks ahead.

During Sunday’s Clubhouse Townhall, co-founder Davison explained the company’s approach to scaling to a larger market — like one where Android users participate — as an effort that requires a slower pace, when it comes to opening up access to more users. He noted that when Clubhouse grows, the discovery experience inside the app can be negatively impacted as a result. Users today are seeing more foreign language groups in their feeds, for instance, and are having a harder time finding friends and some of the best content, he said.

To address these challenges, Clubhouse plans to make several changes, including tweaks to the app’s Activity feed, tools to give users more control over their push notifications, and the launch of more personalization features — like showing users a personalized list of suggested rooms that appear on screen when you first open the app. These sorts of improvements are necessary to make Clubhouse succeed even as it scales its app to a larger user base, the company believes.

That said, Davison also spoke of dropping Clubhouse’s invite-only status as something it hopes to do “in the coming months.” He noted that he wants the app to open up to everyone, because there are “so many incredible creators not yet on Clubhouse, who have an audience elsewhere.”

“It’s going to be really important that we just open up to everyone,” Davison said. “Android’s going to be really important. Localization is obviously going to be very important.” Plus, making Clubhouse more accessible was important, too, he said.

The lack of an Android version of Clubhouse has already caused some complications for the company.

A number of Android app developers have taken advantage of the hole left in the market to hawk their “Clubhouse guides,” which intentionally aim to confuse Android users looking for Clubhouse by using the same app icon. (Google apparently doesn’t bother to weed out low-value and/or infringing content like this from the Play Store.)

"clubhouse" on android pic.twitter.com/uFtilOislC

— Sarah Perez (@sarahintampa) March 2, 2021

More recently, cybercriminals have gotten in on the action, too. They’ve created fake versions of Clubhouse that even pointed to a well-executed copy of the Clubhouse website in order to trick users into downloading their malicious app. One of these apps has been found to be spreading BlackRock malware, which steals users’ login credentials for over 450 services, including Facebook, Twitter and Amazon.

Davison addressed this issue during the Townhall, warning users that if they see anyone trying to impersonate Clubhouse on Android, not to use that app because “it could be harmful.”

“It is certainly not the real Clubhouse. Same thing with PC. There’s no PC app for Clubhouse,” he said, adding that a desktop version of Clubhouse is not a high priority for the company.

The company made a number of other announcements, as well, the most notable being its plans for more creator tools. These will be focused on helping creators grow their own audiences for their shows, and even monetize their events, if they choose, through things like direct payments, subscriptions, brand sponsorships, and even “paid events.” Clubhouse will also offer tools for managing memberships and tracking metrics around listeners and retention, but overall, details were light on what specific tools would be available or when they would roll out.

Clubhouse hasn’t responded to a request for further comment on the statements made during its Townhall event.

from Android – TechCrunch https://ift.tt/3c9Rf2y
via IFTTT

Tim Cook and Tim Sweeney among potential witnesses for Apple/Epic trial

A proposed witness list filed by Apple for its upcoming trial against game-maker Epic reads like a who’s who of executives from the two companies. The drawn out battle could well prove a watershed moment from mobile app payments.

The two sides came to loggerheads when the Fortnite maker was kicked out of the App Store in August of last year after adding an in-game payment system designed to bypass Apple’s – along with Apple’s cut of the profiles.

Epic has accused Apple of monopolist practices pertaining to mobile payment. Apple, meanwhile, has argued that Epic broke the App Store agreement in order to increase its revenue.

Filed late last night by the hardware giant, the document includes top executives from bot sides. For Apple, the list includes CEO Tim Cook, Software Engineering SVP Craig Federighi and Apple Fellow, Phil Schiller. On team Epic, it’s Tim Sweeney and VP Mark Rein. Executives from Microsoft, Facebook and NVIDIA are also included, for good measure.

In a statement provided to TechCrunch, Apple notes,

Our senior executives look forward to sharing with the court the very positive impact the App Store has had on innovation, economies across the world and the customer experience over the last 12 years. We feel confident the case will prove that Epic purposefully breached its agreement solely to increase its revenues, which is what resulted in their removal from the App Store. By doing that, Epic circumvented the security features of the App Store in a way that would lead to reduced competition and put consumers’ privacy and data security at tremendous risk.

The trial is expected to kick off May 3. We’ve reached out to Epic for additional comment.

Epic Games founder Tim Sweeney likens fight against Apple to fight for civil rights

from Apple – TechCrunch https://ift.tt/3f0jiDu

Fleksy co-founder is suing Apple over lost revenue resulting from App Store scammers

Kosta Eleftheriou, a co-founder of the Fleksy keyboard app later sold to Pinterest in an acqui-hire deal, has been calling attention to Apple App Store issues like fake reviews, ratings and subscription scams, as well as malicious clone apps, after his own app, FlickType, was targeted by scammers. Now, the developer is taking the next step in his App Store crusade: he’s filing a lawsuit against Apple.

The suit, which the developer claims was filed Wednesday in California Superior Court in Santa Clara county, alleges that Apple enticed developers to build applications for its App Store — the only place iOS applications can be legally sold — by claiming it’s a safe and trustworthy place, but doesn’t protect legitimate app developers against scammers profiting from their hard work.

What’s more, the suit says, Apple is disincentivized to do so because scammers are generating revenue for Apple via their use of subscriptions, which involve a revenue share with Apple.

Eleftheriou has been personally impacted by App Store scammers. He left a well-paying job at Pinterest to develop his FlickType app, an alternative swipe keyboard for Apple Watch. After its launch, the app was targeted by copycat app makers who claim their apps offer the same feature set as FlickType but instead lock users into high-priced subscriptions for their poorly designed software. They also flood their apps with fake ratings and reviews to make them appear to be a much better option when users are looking for an app in this space.

Meanwhile, FlickType sports a 3.5-star rating, as it’s often dinged for Apple Watch platform issues that are outside the developer’s control or missing features users want to call attention to. Eleftheriou engages with his app’s users, however — responding to complaints and letting users know when features they’ve requested were added or bugs have been fixed. Scammers simply buy enough 5-star reviews to keep their apps’ overall ratings higher.

In other words, Eleftheriou is doing the hard work of being an App Store developer carving out a category for swipe keyboards for the Watch, but his potential income is being shifted over to scam apps who have a falsified App Store presence.

Google Play drops commissions to 15% from 30%, following Apple’s move last year

In years past, Apple took seriously issues of app quality. It worked to clean up shady subscription apps and remove clones and spam from the App Store through regular sweeps. It even once went so far as to ban apps built using templates in an effort to raise the bar on app quality, which angered small businesses that didn’t have the resources or funds to build more professional apps. (Apple later revised its policy to be more equitable.)

But the new lawsuit alleges that Apple is now doing little to police scammers’ apps because it profits from developer misconduct. Eleftheriou also notes he has raised these issues to Apple via his company KPAW, LLC, but Apple did “next to nothing” to resolve the problem.

Eleftheriou’s story is even more complicated, though, because his app was rejected from the App Store numerous times after meeting with Apple special projects manager Randy Marsden over a possible acquisition. He tells TechCrunch numbers were discussed with Apple and his meetings had included a director and a VP, among others. Apple was considering turning FlickType into an Apple Watch feature, the lawsuit notes.

Shortly thereafter, FlickType was pulled from the App Store over App Store Review Guidelines violations, even as a competitor’s app was approved. Eleftheriou appealed for his app through Developer Relations but was given no guidance on how to prevent the same problem in the future, he said.

Apple urged to root out rating scams as developer highlights ugly cost of enforcement failure

Over the months that followed, FlickType continued to face rejections from App Store Review. Apple’s App Store Review said that the app offered a “poor user experience,” even though tech journalists at numerous outlets had praised it, and Apple had once considering buying it. App Review also told the developer that “full keyboard apps are not appropriate for Apple Watch,” while it continued to allow competitors to publish their own keyboard apps.

Apple’s App Review team also allowed third-party apps that were running FlickType’s integratable version of the keyboard to be approved without issues. These included Watch apps like Nano for Reddit, Chirp for Twitter, WatchChat for WhatsApp and Lens for Instagram.

The App Store has a big problem

You: an honest developer, working hard to improve your IAP conversions.
Your competitor: a $2M/year scam running rampant.

1/

— Kosta Eleftheriou (@keleftheriou) January 31, 2021

After Apple approved FlickType in January 2020, the company claims it had already lost over a year of revenue to competitor keyboards that were not constantly being rejected. Nevertheless, FlickType reached the App Store’s Top 10 Paid app list and generated $130,000 in its first month. As a result of its success, it was quickly targeted by scammers who launched watered-down, barely usable competitors to the app, cutting into FlickType’s revenue. FlickType’s revenue dropped to just $20,000 per month. The competitors were also using fake ratings to get their app boosted and installed by unsuspecting users.

Four perspectives: Will Apple trim App Store fees?

Eleftheriou’s story was not unique, as it turned out. In recent months, he has been documenting the App Store’s multimillion-dollar scams, including those he was facing as well as others brought to his attention by developers with similar struggles. Apple, in some cases, would take action against the scammers he highlighted on social media. In other cases, it would not. And it would sometimes only take down one of the developer’s scam apps, but allow others under the same developer account to continue to operate.

The new lawsuit aims to hold Apple accountable for the issues Eleftheriou faced by asking Apple to restore his lost revenue and pay out any other damages awarded by the court.

Apple has not responded for a request for comment at this time.

A copy of the lawsuit is below. It is not yet appearing in public record searches for verification purposes. We’ll follow up to confirm when the case appears online and update accordingly.

Kpaw, LLC v. Apple, Inc by TechCrunch on Scribd

---

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.

from Apple – TechCrunch https://ift.tt/38S6sDz