This Week in Tech 628: Trash Analytics

Next week: All the Android you can handle! Google to launch Android O. Essential Phone arrives. Samsung Galaxy Note 8 announcement. Squeeze the Pixel 2. Is “google” the next “escalator”? Jeff Immelt may be Uber’s next CEO. Intel makes Coffee Lake a reality, and hints at the 10nm chip beyond: Ice Lake. The Daily Stormer gets kicked off GoDaddy, Google, Cloudflare, Russia, and more. Katie Roof was not alive for the last total US solar eclipse. Mike Elgan knows the best baker in Barcelona. Matt Cutts is trying to not wear a tie for 30 days.

Advertisements

This Week in Tech 607: Ozark Puddin’

US Senate votes to end ISP privacy regulations. The “Turkish Crime Family” demand $100,000 in iTunes gift cards for iCloud hack. Android O needs a name. Supreme Court hears printer ink patent case. Tesla Model 3 is on the way. Samsung Galaxy S8’s big announcement is coming this week. US and UK ban electronics bigger than a phone on flights from Middle Eastern countries by Middle Eastern carriers. Google screws up messaging – again.

–Georgia Dow has two VR rooms in her house.
–Rob Reid knows what music aliens like best.
–Nathan Olivarez-Giles wants a car with a naturally aspirated engine.​​

This Android Trojan blocks victims from alerting banks

By Michael Kan | PCWorld

A new Trojan that can steal your payment data will also try to stymie you from alerting your bank.

Security vendor Symantec has noticed a “call-barring” function within newer versions of the Android.Fakebank.B malware family. By including this function, a hacker can delay the user from canceling any payment cards that have been compromised, the company said in a blog post.

Fakebank was originally detected in 2013. It pretends to be an Android app, when in reality, it will try to steal the user’s money.

The malware works by first scanning the phone for specific banking apps. When it finds them, the Trojan will prompt the user to delete them and install malicious versions of those same apps.

The newer variants of Fakebank.B, however, will do more than just collect financial login data. They will also monitor whatever phone calls are made.

If the customer service numbers of certain banks are dialed, the Trojan will cancel the call, Symantec said. Instead, users will have to use email or another phone to reach their banks.

So far, this new Trojan has only been detected in Russia and South Korea. Symantec is advising users refrain from downloading apps from less trustworthy sources, like third-party app stores.

The call-barring function shows how banking Trojans are continuing to evolve. Earlier this year, Symantec detected another kind called Android.Bankosy that can bypass voice-based two-factor authentication systems.

To do this, the Trojan will secretly activate call forwarding on the victim’s phone. All calls will then be redirected to the hacker’s own number.

Spotty Android encryption is the story behind the story of Apple’s battle with the FBI

By | PCWorld

Savvy Android users know that Apple’s face-to-face with the FBI is only the beginning of the phone-encryption furor. Google CEO Sundar Pichai voiced his support for Apple and for strong and safe encryption, but he didn’t give specifics on how Google would deal with this situation if it were in Apple’s shoes.

That’s because if Syed Rizwan Farook, the San Bernardino shooter, had been using an older Android smartphone, we probably wouldn’t be having this discussion.

Encryption has so far lost out to openness in the Android ecosystem. It’s actually been supported since version 4.0 (KitKat), and the latest iterations of Google’s own Nexus devices have encryption on by default, but the rest of Android has been slower on the uptake, especially internationally.

“Android is different because the entire ecosystem is fragmented,” explained Mike Murray, VP of security research at Lookout. “The version of Android that Samsung installs on their phone is different than the version that Google installs on their phone and it’s way different than the third party aftermarket vendor who’s building low-end phones in India or China.”

It’s those smaller manufacturers making budget devices that have especially stymied Google. They fear that onboarding mandatory encryption will hamper their phones’ performance—for example, lower-end processors can struggle with the encrypt-and-decrypt process. But as standards for processors improve, there’s little reason why encryption could not become the norm when you got a new smartphone.

So many Android phones, so little encryption

Google tried again, making encryption mandatory across the board late last year with Android 6.0 Marshmallow. But there’s another flaw in this plan: Only 4.6% of the Android landscape is running Marshmallow (as of this writing), and the compulsory encryption rule applies only to new phones running 6.0, not older phones that have been upgraded (it’s optional in that case). Once again, Android is a patchwork.

On-by-default makes a huge difference in how a person uses a device or an app. Typically, people don’t change the settings much unless they have something specific in mind. By having encryption off by default, a large number of users likely remain unencrypted and oblivious of their vulnerability.

“Every company manufacturing devices that store sensitive data should be using full disk encryption by default,” said Evan Greer, campaign director Fight for the Future, which staged rallies in support of Apple. She added that corporations need to shoulder more of the responsibility in encrypting devices. “We need to build a movement to hold companies accountable and demand that they do everything technologically possible to protect our private information from hackers, and from illegal government surveillance.”

Google’s commitment to privacy is regularly challenged, whether it’s in the company’s expansive use of user data, or more specifically in a Manhattan DA report that claimed Google could remotely access most Android phones.

Android security boss Adrian Ludwig fired back, saying Google cannot access any device protected with a PIN, password, or fingerprint. “Google also does not have any mechanism to facilitate access to devices that have been encrypted,” he said.

Shut the back door

But could Ludwig’s claim be put to the test sooner rather than later? We know the San Bernardino case was never about just one iPhone or Apple. As Fight for the Future’s Greer reminds us, it’s about the FBI’s desire to set a “dangerous precedent” that would be felt for years to come. Enabling end-to-end encryption for all users is just one way of ensuring this doesn’t happen.

“Assuming Android improves their security and become harder to hack, it’s not a question of if the US or other governments will try to force them to weaken that security,” said Greer. “It’s a question of when.”