This Hack Lets You Run Any Android App on Your Chromebook

Using a small JavaScript script, the hack, which is detailed in full on GitHub, allows any regular Android APK to be packaged up and, for want of a better term, side-loaded onto a Chromebook. It can then be run under the Android App Runtime in the same way as the ‘official’ Vine, Dulingo and Evernote. 

Restrictions mean that only one Android app can be run at a time.

To watch a Youtube video demonstration and the full original story follow this link to OMG Chrome.

Try It Out

If the thought of waiting for Google to partner up with the maker of your favourite app, game or utility is too much to bear, you could don your hard hat and try it out for yourself.

But be warned: it’s not a guide for the fainthearted or the technically averse. The developer behind the hack,
Vladikoff, cautions that his tool is for ‘proof of concept’ and is provided without any kind of warrant or assurance. The hack is also not endorsed by Google, Chromium or Android.

To follow along you’ll need a Chromebook with the Android Runtime plugin installed, the Android Vine app (which will be replaced during the course of the guide) and an OS X or Linux desktop from which to ‘package’ your app.

Applications tested and said to be working include Twitter, both tablet and mobile modes, and Flipboard (which was demoed running on a Chromebook at Google I/O).

Other apps tested but that crash include Google Chrome for Android (!), Spotify, SoundCloud and Swing Copters.

You can find more details and a download for the script on the project’s GitHub page, linked below.

‘Run Android APKs on Chromebooks’ Guide

More Americans using smartphones for getting directions, streaming TV

Just as the internet has changed the way people communicate, work and learn, mobile technology has changed when, where and how consumers access information and entertainment. And smartphone use that goes beyond routine calls and text messages does not appear to be slowing, according to a Pew Research Center survey of U.S. adults conducted in July 2015.

The percentage of smartphone owners who say they have ever used their phone to watch movies or TV through a paid subscription service like Netflix or Hulu Plus has doubled in recent years – increasing from 15% in 2012 to 33% in 2015.

Among the smartphone activities measured, getting location-based information is the most universal task. Nine-in-ten smartphone owners use their phone to get directions, recommendations or other information related to their location, up from 74% in 2013.

The share of smartphone users who report using their device to listen to online radio or a music service, such as Pandora or Spotify, or participate in video calls or chats has also increased by double digits in recent years. (2015 was the first year in which we surveyed about using a mobile device to buy a product online or get sports scores and analysis.)

Younger adults are especially likely to reach for their phone for something other than calling and texting. Getting location-based information is the one activity measured that is common across all age groups, however.

Listening to music and shopping on the go are especially popular among smartphone owners ages 18 to 29: 87% have listened to an online radio or music service on their phone, compared with 41% of those 50 and over, and 73% have shopped online through their mobile device, versus 44% of older users.

Activities that are less prevalent but not uncommon among smartphone owners include video calling or chatting; getting sports scores or analysis; and watching movies or TV through a paid subscription service. Again, younger adults are especially likely to use their mobile device for all of these activities. For example, 52% of 18- to 29-year-old smartphone owners have ever used their phone to watch movies or TV shows through a paid subscription service, compared with 36% of 30- to 49-year-olds and only 13% of those 50 and older.

These differences speak to a broader pattern of younger Americans’ adoption of and engagement with technology. Younger adults are more likely than older adults to own a smartphone, to be constantly online and to rely on their smartphone for internet access.

To see more and the original story follow this link to Pew Research.

Android adware can install itself even when users explicitly reject it

A while back, Ars reported on newly discovered Android adware that is virtually impossible to uninstall. Now, researchers have uncovered malicious apps that can get installed even when a user has expressly tapped a button rejecting the app.

The hijacking happens after a user has installed a trojanized app that masquerades as an official app available in Google Play and then is made available in third-party markets. During the installation, apps from an adware family known as Shedun try to trick people into granting the app control over the Android Accessibility Service, which is designed to provide vision-impaired users alternative ways to interact with their mobile devices. Ironically enough, Shedun apps try to gain such control by displaying dialogs such as this one, which promises to help weed out intrusive advertisements.

From that point on, the app has the ability to display popup ads that install highly intrusive adware. Even in cases where a user rejects the invitation to install the adware or takes no action at all, the Shedun-spawned app uses its control over the accessibility service to install the adware anyway.

“Shedun does not exploit a vulnerability in the service,” researchers from mobile security provider Lookout wrote in a blog post published Thursday morning. “Instead it takes advantage of the service’s legitimate features. By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user.”

For a video demonstration and the original story follow this link to Ars Technica.

As previously reported, Shedun is one of several families of adware that can’t easily be uninstalled. That’s because the apps root the device and then embed themselves into the system partition to ensure they persist even after factory reset. Lookout refers to them as “trojanized adware” because the end goal of this malware is to install secondary applications and serve aggressive advertising.

The ability to use social engineering to hijack the Android Accessibility Service is yet another sign of the creativity and ingenuity put into this new breed of apps. As always, readers are reminded to carefully weigh the risks and benefits of using third-party app markets. They should also remain highly suspicious of any app that asks for control of the Android Accessibility Service.

Chinese Marketing Firm Spreads Adware to Promote Its App Portfolio

A Chinese company that markets itself as a mobile app promoter has been cheating its clients by deploying adware to install their apps on unsuspecting victims.

The company, named NGE Mobi/Xinyinhe, activating in China and Singapore, has been using popular apps, repackaged with the malicious adware code, which it distributes through unofficial Android app stores.

When users install these apps on their smartphones, the adware comes to life, collects information about the device, sends it to a C&C server, and then waits for new commands.

The adware can gain root access and boot persistence

When the server answers, the app moves to install a root backdoor and a series of system daemons that allow it to survive system reboots.

Here is where the fun begins, because once the adware is firmly implanted on the victim’s phone, it starts serving apps and ads, all from NGE Mobi/Xinyinhe’s portfolio.

As FireEye found out in their research, most of the times pornographic apps and ad interstitials are displayed on the user’s home screen, all harmless but very annoying.

Currently, the adware has been found on Android versions ranging from 2.3.4 to 5.1.1. with the most infected users in countries like Russia, China, Brazil, Argentina, Egypt, Spain, France, Germany, Sweden, Norway, Saudi Arabia, Indonesia, India, the UK, and the US.

The NGE adware campaign was first observed in August and has grown at a constant pace ever since.

The adware can be hijacked to deliver more dangerous malware

What’s even worse, as FireEye researchers point out, is that the adware’s creators were extremely careless when they put together the malicious code.

Because the C&C server communications are carried out via blind HTTP channels, a second attacker could easily intercept these transmissions.

Since the adware gains root privileges and boot persistence over all infected devices, another attacker could use this to serve much more dangerous apps compared to silly adult apps and ads.

The first example that comes to mind is when the second attacker adds infected phones to a botnet and uses them to carry out DDOS attacks. Worse scenarios are when attackers decide to go snooping through your private pictures or install ransomware on your phone.

For more information and more photos follow this link to Softpedia

New Android Malware Sprouting Like Weeds

Information stored on an Android smartphone or tablet is vulnerable to almost 4,900 new malware files each day, according to a report G Data SecurityLabs released Wednesday.

Cybercriminals’ interest in the Android operating system has grown, the firm’s Q1 2015 Mobile Malware Report revealed.

“The report suggests that Android devices are becoming a bigger target for the bad guys and more profitable than in previous years,” said Andy Hayter, security evangelist for G Data.

The number of new malware samples in the first quarter increased 6.4 percent (440,267) from the fourth quarter of last year (413,871). The number of malware strains rose by 21 percent compared with the first quarter of 2014 (316,153).

More than 2 million new Android malware strains are likely to surface this year, G Data security predicted.

Just the Start

The 2 million figure is very realistic, due to the increasing use of Android devices for banking and shopping online, G Data suggested.

“The report shows that the OS has a bigger market share than the others, and thus is more interesting to security researchers and malware authors alike. Also, a lot of vendors offer Android devices varying in quality standards, but that is not a problem of the OS itself, but rather of the vendor in question,” Hayter told LinuxInsider.

Google introduced premium SMS Checks last year. After that, the malware models started to spread out, he noted.

“Before that time there were a few very active malware families, such as SMS FakeInstaller,” Hayter said. “Since then there are lots of small families.”

Financially Motivated

At least 41 percent of consumers in Europe and 50 percent in the U.S. use a smartphone or tablet for their banking transactions. Plus, 78 percent of Internet users make purchases online.

The new malware files have a financial foundation, according to the G Data report. At least half of all Android malware now in circulation includes banking Trojans, SMS Trojans and similar malware components.

The actual percentage of malware-infected Android apps easily could be higher, the researchers warned. They only studied malware with a direct financial purpose — many other types of cases might exist.

For example, a malware program might install apps or steal credit card data as an additional process after a payment is made. Because that type of malware would not seem to be financially motivated, it would not have been included in the report’s statistics.

Thin Dividing Line

Free Android apps offer particularly attractive attack vectors to cybercriminals. Many apps, especially free apps, rely on advertising to fund their development.

Bad apps can hide themselves in the background or conceal functions from users. Bad apps also can send legitimate apps’ data to additional advertising networks.

Apps that do such things — like programs running on PC OSes — are called “Potentially Unwanted Programs,” or PUPs. The report categorizes such apps as adware, noting that they often hide in manipulated or fake apps that are installed from sources other than the Google Play Store.

Malware Magnet

Android is a derivative of Linux, an operating system generally considered less likely to be targeted by viruses and malware. However, Android is less rigorous and less secure than other mobile platforms, said Rob Enderle, principal analyst at the Enderle Group.

“There is much more sideloading, which means there is a far easier path to getting viruses on Android devices than any other mobile platform,” he told LinuxInsider.

Google historically has been less focused on security and customer satisfaction than firms that are more closely tied to user revenue, Enderle said. Another reason for Android’s vulnerability is that mobile platforms generally don’t run security software.

Historically, they have been somewhat protected because of their tight ties to curated stores, “but now that smartphones have PC-like performance, they are becoming a magnet for malware,” noted Enderle.

“Google’s lack of focus on this problem, reminiscent of Microsoft’s similar mistake in the late 1990s — which resulted in their having to rethink their OS and create Windows XP — has created a massive exposure for Android users,” he said.

To read more follow this link to Linux Insider.

For vast majority of seniors who own one, a smartphone equals ‘freedom’

When it comes to tech adoption, seniors generally lag behind their younger counterparts. But for Americans ages 65 and older who own a smartphone, having one in their pocket is a liberating experience.

Asked if they feel that their phone represents “freedom” or “a leash,” 82% of smartphone-owning seniors described their phone as freeing, compared with 64% of those ages 18 to 29. By contrast, 36% of adult smartphone owners under the age of 30 described their phone as a leash, double the 18% of adults ages 65 and older who chose this term to describe their phone.

Similarly, when asked to describe their smartphone as “connecting” or “distracting,” older users are significantly more likely to choose “connecting” as the best descriptor. On the other hand, younger smartphone users are twice as likely as older adults to view their phone as “distracting” (37% vs. 18%).

Our survey did not directly ask why users chose the terms that they did, but differences in usage patterns may play a role. Younger adults tend to use their phones for a far wider range of purposes (especially social networking and multimedia content) and are much more likely to turn to their phone as a way to relieve boredom and to avoid others around them.

Older adults, by contrast, tend to use their phones for a narrower range of purposes – especially basic communication functions such as voice calling, texting and email. For young adults, smartphones are often the device through which they filter both the successes and annoyances of daily life – which could help explain why these users are more likely to report feeling emotions about their phone ranging from happy and grateful to frustrated or angry during a weeklong survey.

It is true, overall, that older Americans are less likely to be online, have broadband at home or own a mobile device. The same applies to smartphones: Only a quarter (27%) of adults ages 65 and older own them, compared with 85% of 18- to 29-year-olds, according to a Pew Research Center report released earlier this month.

A previous Pew Research study found that lower adoption rates of new technologies are often related to barriers seniors face when adopting them. These include medical conditions that make it difficult for older Americans to use certain technologies or devices. Skepticism about the benefits of technology and lack of digital literacy are other deterrents cited by older adults.

But that’s not to say older Americans aren’t broadening their digital experiences. In 2014, for the first time, more than half of online seniors indicated that they use Facebook: 56% of online adults ages 65 and older do so, up from 45% a year earlier. Internet use and broadband adoption continue to climb among older adults, and although there remains a wide age gap in smartphone ownership, the proportion of older adults who own a smartphone has increased by 8 percentage points since early 2014. Plus, older Americans who are internet adopters tend to have highly positive attitudes about the impact of online access on their lives, including the access that smartphones give them.

For more information and the original story follow this link to Pew Research Center.

Android Browser flaw a “privacy disaster” for half of Android users

Bug enables malicious sites to grab cookies, passwords from other sites.

A bug quietly reported on September 1 appears to have grave implications for Android users. Android Browser, the open source, WebKit-based browser that used to be part of the Android Open Source Platform (AOSP), has a flaw that enables malicious sites to inject JavaScript into other sites. Those malicious JavaScripts can in turn read cookies and password fields, submit forms, grab keyboard input, or do practically anything else.

Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.

The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.

The Android Browser bug breaks the browser’s handling of the SOP. As Rafay Baloch, the researcher who discovered the problem found, JavaScript constructed in a particular way could ignore the SOP and freely meddle with other sites’ content without restriction.

This means that potentially any site visited in the browser could be stealing sensitive data. It’s a bug that needs fixing, and fast.

As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser. Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome. The core parts of Android Browser were still used to power embedded Web view controls within applications, but even this changed in Android 4.4, when it switched to a Chromium-based browser engine.

But just as Microsoft’s end-of-life for Windows XP didn’t make that operating system magically disappear from the Web, Google’s discontinuation of the open source Browser app hasn’t made it disappear from the Web either. As our monthly look at Web browser usage shows, Android Browser has a little more real-world usage than Chrome for Android, with something like 40-50 percent of Android users using the flawed browser.

The Android Browser is likely to be embedded in third-party products, too, and some Android users have even installed it on their Android 4.4 phones because for one reason or another they prefer it to Chrome.

Google’s own numbers paint an even worse picture. According to the online advertising giant, only 24.5 percent of Android users are using version 4.4. The majority of Android users are using versions that include the broken component, and many of these users are using 4.1.x or below, so they’re not even using versions of Android that use Chrome as the default browser.

Baloch initially reported the bug to Google, but the company told him that it couldn’t reproduce the problem and closed his report. Since he wrote his blog post, a Metasploit module has been developed to enable the popular security testing framework to detect the problem, and Metasploit developers have branded the problem a “privacy disaster.” Baloch says that Google has subsequently changed its response, agreeing that it can reproduce the problem and saying that it is working on a suitable fix.

Just how this fix will be made useful is unclear. While Chrome is updated through the Play Store, the AOSP Browser is generally updated only through operating system updates. Timely availability of Android updates remains a sticking point for the operating system, so even if Google develops a fix, it may well be unavailable to those who actually need it.

Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code. Other third-party browsers for Android may embed the broken AOSP code, and unfortunately for end users, there’s no good way to know if this is the case or not.

Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

Source: Ars Technica

Android malware tool iBanking commands $5000 price for attackers

Evolving malicious tool adopts service model, grows increasingly complex

The market for malware tools is expanding, including the purchase of pre-made tools for a hefty fee from underground developers. One such tool aimed at Android, iBanking, promises to conduct a number of malicious actions including intercepting text messages, stealing phone information, pulling geolocation data and constructing botnets with infected devices. All it would cost to obtain the program is $5000, even after its source code leaked earlier in the year.

The iBanking malware has evolved from simply being able to steal SMS information, but has grown to be a much larger Trojan tool for would be data thieves. Applications injected with the iBanking code have hit the marketplace costumed as legitimate banking and social media apps as a way for users to be convinced to use them.

The apps often appear to users who have already been infected on desktop machines, prompting them to fill in personal information which then leads to an SMS message with a download link. Once the app is downloaded and installed, it begins feeding information to the attacker.

According to Symantec the tool is “one of the most expensive pieces of malware” the company has seen, especially for one with that sets up a service business. Other malware applications have paved the way for things like customer support and HTML control panels, but not at such a high price.

Part of the larger problem with iBanking is that it resists most attempts to reverse engineer the software, giving it a better strength against those trying to craft similar tools says an article from Ars Technica. iBanking uses encryption and code obfuscation to hide the commands and actions it carries out. This prevents researchers from breaking down the process of the malware, as well as keeping others from using the code to clone more software.

Source: Electronista

BlackBerry’s ultra-secure chat gives each message its own security key

Chat systems like BBM (BlackBerry Messenger) are typically very secure, since they’re encrypted end-to-end. However, they still have a glaring flaw: if intruders do crack the code, they can see everything you’ve said. That’s where BlackBerry’s soon-to-launch BBM Protected comes in. As the company showed at its BlackBerry Experience Washington event (CrackBerry’s video is below), the new service makes it extremely difficult to spy on an entire conversation. Each message has its own random encryption key; even a very clever data thief would only get one tidbit at a time, so it could take ages to piece together a full chat.

BBM Protected will only be available for corporate-controlled BlackBerry devices when it launches as part of an enterprise suite in June, although that will include anything running the now-ancient BlackBerry OS 6 or higher. The chat client won’t be available for personal phones running BlackBerry Balance until early fall, while Android and iOS users will have to wait until late fall or early winter. All the same, it might be worth holding out if you’re really, truly worried that someone is watching your private discussions.

Source: Engadget

BlackBerry Tumblr app Trapeez available in Beta Zone

The native Tumblr app Trapeez developed by Kisai Labs has a beta version, version 1.5.0.0 available in BlackBerry Beta Zone.