Sick of buying a new Android phone every few years? Help is on the way

The European Commission (EC) has drafted new legislation that would require Android smartphone manufacturers to offer long-term support for their devices.

Motivated by a desire to cut back on e-waste and shield consumers against predatory behavior, the proposal seeks to establish a minimum support term that will apply to all Android devices sold in the EU.

Under the new rules, vendors would have to provide customers with three years’ worth of major feature updates and five years of security patches, practically doubling the lifespan of some cheaper smartphones.

Android software support

As things stand, while some vendors offer a generous support term (the Google Pixel 6 already meets the new requirements, for example), many promise to supply updates for only a handful of years, or fail to specify.

This state of affairs creates a quandary for device owners, who can either opt for a costly upgrade, despite the fact their hardware remains fully functional, or miss out on new functionality and important security protections.

The new EU rules, in addition to limiting the environmental damage brought about by the current upgrade cycle, will allow consumers to use their mobile devices for at least half a decade before having to make another purchase.

Separately, the proposal includes measures to guard against planned obsolescence, a practice whereby a device is built deliberately to degrade over time, thereby pushing the owner to upgrade.

For example, the draft legislation asks manufacturers to meet new battery life baselines, or failing that, to bring back old-school mechanisms for swapping in replacement cells. Similarly, vendors would need to supply parts and repair services for at least five years after a device is released.

Before the legislation can be written into law, it will undergo a consultation period that runs until the end of the month. The proposal will be implemented in Q4 2022 at the earliest, with enforcement set to begin one year from the date of its introduction.

Via 9to5 Google 

Posted in Uncategorised

Google trials new payment methods for Play Store, but not everyone will be pleased

Google has kicked off a pilot program that will broaden the range of payment methods supported by Play Store, the official Android application marketplace.

As explained in the support documentation, the trial will allow Android developers in the European Economic Area (EEA), Australia, Indonesia, India and Japan to implement billing systems that are not owned and operated by Google.

The pilot will cover in-app purchases and subscription sign-ups, as well as browser pop-up payments, but for an undisclosed reason will not extend to mobile games applications at this time.

Google Play Store commission

The new Play Store trial can be seen as a product of recent pressure applied to the likes of Google and Apple, which enjoy a stranglehold over the mobile applications ecosystem, by stakeholders and regulators calling for reform.

Infamously, Apple is currently embroiled in a legal battle with Epic Games, the maker of popular video game Fortnite. The company attempted to bypass the 30% commission in the summer of 2020 by launching its own in-app payment mechanism, which saw Fortnite promptly removed from the App Store. Although the judge ruled largely in favor of Apple in the first part of the case, Epic has appealed the ruling and the dispute rages on.

Legislation passed in the US state of Arizona last year, meanwhile, sought to stop Google and Apple forcing developers to use a single payment system exclusively, and penalizing those that opt for an alternative system.

Although the rules protected Arizona-based developers and residents only, they set a precedent that could give impetus to similar measures in other states and countries.

The Play Store alternative payments trial could be interpreted as an attempt to get out ahead of any new legislation that might prove even more stringent than the voluntary concessions made under the pilot scheme.

While the trial will minimize the extent to which Google can leverage market position to its economic advantage, it may not wholly satisfy developers who believe the company demands too great a cut of app-related purchases.

Although Google reduced its commission from 30% to 15% last year, under the pilot, the firm will continue to take a 4% service fee for all purchases made via alternative methods. For its part, Google argues its fees have never represented simply the cost of processing transactions, but reflect the broader value provided by the Android platform. 

A similar line of argument was pursued by Apple last year, as the company campaigned against new regulation in Arizona.

“The commission has been described by some special interests as a ‘payment processing fee’, as if Apple is just swiping a credit card. That’s terribly misleading,” said Kyle Andeer, Chief Compliance Officer at Apple.

“Apple provides developers an enormous amount of value - both the store to distribute their apps around the world and the studio to create them. This is what the commission reflects.”

Posted in Uncategorised

Samsung’s grand vision for the Galaxy Z Fold 4 and Galaxy Z Flip 4

Earlier this month, Samsung unveiled the latest devices in its range of foldable smartphones: the Galaxy Z Fold 4 and Galaxy Z Flip 4. The new handsets refine the formula, with iterative improvements that add an additional layer of polish, but who are they really for?

Samsung’s glossy launch event might have implied these are mainstream consumer devices, but with starting price points of $1,899/£1,699 and $999/£999, not so. In reality, the Z Fold 4 and Z Flip 4 are likely to be found in the pockets of two types of user: enthusiasts and professionals.

In an email exchange with TechRadar Pro, Samsung explained the new devices were designed with business use cases front-of-mind, in particular the Fold. Amid the widespread shift to hybrid working, the aim was to give professionals the ultimate device for multitasking on the move.

“In our fourth generation foldables offering, we are providing users with a smart, powerful, long-lasting mobile device that flexes with their future working needs. From security to always-on service support, key partnership integration and unparalleled connectivity, this device is made for today’s hybrid workers,” said Joe Walsh, Director of B2B, Samsung UK and Ireland.

“Our new Galaxy Z Fold 4 provides a new mobile experience centred on our customers and engineered for a new era. This powerful device is perfect for secure working on the go, providing users with a comprehensive array of new business-focused features and services, while backed up by defence-grade security.”

Samsung Galaxy Z Fold 4

The Samsung Galaxy Z Fold, in multitasking mode. (Image credit: Samsung)

Samsung Galaxy Z Fold 4 and Galaxy Z Flip 4

When TechRadar Pro last chatted with Walsh, after the launch of the previous generation of devices, he spoke with conviction about the trajectory of the foldables market, despite questions over the long-term staying power of the form factor.

“The foldable form factor represents another step forward in smartphone innovation, but one that we are confident is now reaching the mainstream,” he said, at the time.

One year on, Walsh remains bullish about Samsung’s Fold and Flip series devices, buoyed by sales figures that suggest the momentum behind foldables is only building.

“Whether at home, in the office, or on the move, the modern workplace is changing. Professionals are seeking more flexibility and freedom to get their work done in a way that suits them,” he told us.

“We’re already seeing growing momentum towards foldables across our customer base. Last year, industry analysts reported that 10 million foldable smartphones shipped worldwide. That’s an industry increase of more than 300% from 2020.”

Samsung

Samsung Galaxy Z Flip 4 (Image credit: Samsung)

Walsh attributes the growing popularity of Samsung’s foldables to attributes that align closely with modern ways of conducting business, from powerful processors to generous screen real estate and high levels of portability.

He also gestured to tight integration with first- and third-party business software, like collaboration platform Microsoft Teams and Samsung DeX, which makes it easy for users to connect their phones to their business monitors.

Asked how Samsung will set about driving further adoption in business circles, Walsh explained the strategy is to lean into the strength of its product ecosystem, which includes devices like the Galaxy Book2 Business and a range of rugged smartphones.

“We know that many of our foldable fans are Samsung loyalists, with nearly half already owning at least one ecosystem device. That’s why we’ve created an ecosystem that syncs perfectly across devices no matter what life throws at them,” he said.

Although foldable devices will remain a niche component of the greater smartphone ecosystem for some time yet, Samsung has positioned itself at the forefront of a movement that could prove to be transformative. 

As the technology matures, costs are bound to fall, bringing foldables to a much wider audience. But for now, Samsung has the business market in its crosshairs.

Posted in Uncategorised

MediaTek is coming for Qualcomm’s smartphone crown

MediaTek has announced two new premium chipsets designed for flagship 5G mobile devices: the Dimensity 8000 and Dimensity 8100.

Launched at MWC 2022, the new SoCs add an additional tier to the company’s existing portfolio, filling a performance gap between the recently launched Dimensity 9000 and the less performant Dimensity 1300.

The Dimensity 8000 series chips bundle four Arm Cortex-A78 cores, an Arm Mali-G610 MC6 GPU and MediaTek’s latest AI processing unit, a combination the company says delivers “the most power-efficient performance in its class”.

Smartphones powered by latest MediaTek chips are expected to launch later this quarter, at the $500-$700 price-point.

MediaTek 8000

(Image credit: MediaTek)

MediaTek tackles the flagship market

Historically, MediaTek has played in the somewhat less sexy portions of the market, featuring inside budget and mid-range phones aimed at users for whom performance isn’t necessarily the priority.

The launch of the Dimensity 9000 in December last year signalled a shift in strategy, which will see MediaTek attempt for the first time to muscle its way into flashship mobile devices, a field traditionally dominated by Qualcomm.

At MWC, TechRadar Pro spoke to Pascal Lemasson and Rob Moffat, executives in charge of sales at MediaTek, who provided additional context around the company’s new approach and the significance of its new Dimensity chips.

“The strategy is to offer our customers chipsets from bottom to top. Before the Dimensity 9000, we had a gap at the top end,” said Moffat. “In the last three years, our R&D investment has been massive and 5G is a huge opportunity for us, so we’ve taken a decision to target the high-end market.”

“Ultimately, we need to be focused on technology leadership, which takes you automatically into top-tier products.”

Although all Android smartphone vendors use MediaTek chips in at least some of their devices and the company now holds the greatest market share (at roughly 40%), Qualcomm is still largely seen as the darling of the mobile processor space. Asked whether the company is seeking deliberately to break this narrative with its new Dimensity chips, the pair explained that there is still more to be done when it comes to changing the mindset of both customers and end-users.

“Qualcomm has dominated with Snapdragon for a long time, when it comes to share of the [flagship] market and the perception among technologists. But for us, it’s about looking after what we’re doing and making sure we have the best solution in place in order to compete,” TechRadar Pro was told.

“We need some time to change people’s conclusions about who the chipset leader is, in terms of bleeding-edge technology, performance and value to the end-user. But benchmarking shows that MediaTek is now in the lead,” added Lemasson.

Unlike Qualcomm, MediaTek’s mobile chipsets do not support 5G mmWave, which offers higher speeds over short distances than sub-6Ghz 5G. Lemasson and Moffat say the technology is already in place, and will feature in MediaTek SoCs launched later this year.

In other departments, however, the company is convinced its flagship SoCs are ready to compete with Qualcomm, toe-to-toe.

MWC (Mobile World Congress) is the world's largest showcase for the mobile industry, stuffed full of the newest phones, tablets, wearables and more. TechRadar is reporting on the show all week. Follow our MWC 2022 live blog for the very latest news as it happens and visit our dedicated MWC 2022 hub for a round-up of the biggest announcements.


Disclaimer: Our flights and accommodation for MWC 2022 were funded by Huawei, but the organization had no editorial control over the content of this article.

Posted in Uncategorised

The transformation of BlackBerry from mobile heavyweight into something else entirely

Many people know BlackBerry as the company behind the iconic range of mobile devices, which were as beloved among regular consumers as they were the professionals they were built for.

However, BlackBerry hasn’t been a hardware company for more than half a decade now. Although the firm has licensed its branding to other manufacturers, it hasn’t launched a smartphone of its own since 2016.

The company also recently killed off BlackBerry OS, rendering a host of older devices unusable, and sold off a range of legacy patents relating to its phones and other technologies.

Instead, the modern BlackBerry is all about software and cybersecurity. The firm’s primary source of revenue is a line of services that help secure mobile devices and various other endpoints, and software that enables rich functionality inside connected vehicles.

According to Sarah Tatsis, an executive who has spent more than twenty years at BlackBerry, the pivot away from hardware was more natural than it might appear.

“There were quite a few challenges, because it was a big transition, but there was also a lot of opportunity,” she told TechRadar Pro.

“From the beginning, there has always been a focus on cybersecurity at BlackBerry. We’ve always thought a lot about how to move data through our infrastructure in a secure way. And that know-how is applicable across many different spaces.”

The fall from grace

At the peak of its powers around 2010, BlackBerry held more than 40% of the mobile device market in the United States and roughly 20% of the global market, Comscore and Statista data shows.

This level of ubiquity was thanks in part to the quality and design of the devices – the Pearl, Curve and Bold series were all hits – but also to exclusive services like BlackBerry Messenger (BBM), access to which became something of a status symbol.

BlackBerry should also be recognized for its role in driving forward the remote working revolution. The company’s devices were among the first to allow users to browse and respond to emails on the move, which had the effect of unshackling professionals from their office computers.

BlackBerry Bold

The BlackBerry Bold 9000, launched in 2008. (Image credit: Shutterstock / Andrey Blumenfeld)

The arrival of the iPhone in 2007 is often said to have marked the end for BlackBerry devices, but the company was actually able to hold its own for a number of years after iOS and Android rose to prominence. In other words, people were still content with their BlackBerry hardware.

According to Tatsis, the company’s fall from grace had more to do with software. The most significant mistake, she says, was BlackBerry’s failure to establish a marketplace for third-party applications, like the Apple App Store or Google Play Store.

“The key problem was the lack of applications available on our devices versus others at the time. We didn’t have the platform that a large application ecosystem provided,” she explained.

In 2015, BlackBerry eventually moved its phones over to Android in an effort to rectify the dearth of apps, but by that time its competitors had muscled their way into favor.

But there were other mistakes, too. For example, the company stuck doggedly to the physical keyboards for which it was best known, underestimating the flexibility of the touchscreen and value of the additional screen real estate.

BlackBerry was also insistent on maintaining its focus on the business market, despite the broad appeal of its devices. Although BlackBerry phones remained popular among businesses and government agencies, pressure from workers to support iOS and Android devices ultimately forced the hand of IT departments.

Squeezed out of its main market by new players who had more accurately identified the areas of opportunity, BlackBerry was left with no choice but to pivot.

The rebirth

The switch from hardware to security was the brainchild of John Chen, who took on the role of CEO at BlackBerry in 2013.

When it was first announced that the company would exit the hardware business, Chen unveiled a three-pronged strategy; BlackBerry would licence its branding, embed its technology into non-BlackBerry smartphones and extend its software to help secure the growing number of IoT endpoints.

As it transpired, the third of these objectives became the foundation for the new-look BlackBerry. Following the acquisition of security company Cylance, renowned for the quality of its AI-based solutions, in 2019, BlackBerry threw its weight behind its cybersecurity business with even greater conviction.

Today, the company offers a dizzying selection of endpoint protection and mobile device management services that utilize AI techniques to help companies protect against sophisticated cyberattacks.

Cybersecurity

BlackBerry pivoted towards security under the leadership of CEO John Chen. (Image credit: Shutterstock / song_about_summer)

It also runs a threat intelligence operation that analyzes developments in the threat landscape, from the latest malware strains to state-sponsored espionage activity. BlackBerry says the objective is to maintain an up-to-date picture of the kinds of threats its software needs to shield against, and to collaborate with the security ecosystem in support of shared goals.

Although Tatsis has held many roles in her two decades at BlackBerry, her latest position seats her in the IoT segment of the business, as SVP IVY Platform Development. Separate to the security services arm, her focus is on “building the foundational software that enables endpoints in a secure and scalable way,” she explained.

The IoT segment’s most well-known offering is BlackBerry QNX, which is now embedded in almost 200 million connected vehicles, from the likes of BMW, Volkswagen, Mercedes and Ford. The platform powers functionality ranging from safety and driver assistance systems to infotainment, in-car acoustics and more.

The IVY platform operates in a similar space, “focusing on enabling automotive OEMs to bring to market new experiences for customers”, says Tatisis.

Co-developed with AWS and currently in early access, IVY connects up to various sensors within a vehicle (e.g. seat sensors, optical sensors, battery management systems etc.), then plugs the data it collects into machine learning algorithms that generate insights that help inform the driving experience.

Smart car

(Image credit: Shutterstock / Syda Productions)

For example, IVY is capable of using a combination of data feeds to identify precisely who is in the car, knowledge that unlocks a wide range of possibilities.

“If I have the insight that Sarah is driving the car, I can send that insight to an application that can provide a personalized driving experience,” Tatsis explained. “That could involve playing Sarah’s favorite music, adapting the predicted range based on her driving style and more.”

In another hypothetical scenario, IVY could detect that children are present in the car and nudge the driver to activate child-lock systems. Understanding that the car has multiple occupants, IVY could also send up a flag that permits the vehicle to use high-occupancy vehicle lanes (HOVs).

It’s easy to look back on BlackBerry’s legacy in mobile and wonder how the company ended up here, but there remains a thread that connects these latest pursuits to its origins: a focus on security.

By performing computation on the edge and transporting only abstract insights to the cloud, IVY is able to minimize the exposure of personal data and lay the foundation for next-generation experiences with security baked in.

Who needs hardware, anyway?

Few companies have undergone a change of identity as complete as BlackBerry’s. And even fewer have managed to do so successfully.

Although BlackBerry was forced out of the hardware business by a failure to follow the opportunity, Tatsis believes the company is now ideally positioned to capitalize on the direction of travel.

With the number of IoT devices and connected vehicles expected to continue to expand at an aggressive pace, both cybersecurity and advanced new functionality will feature at the top of the agenda, she suggests.

“As the number of endpoints and sensors grows significantly, so does the risk from a cybersecurity and privacy perspective,” Tatsis told us. “To enable the innovations and great new experiences we expect to come from these endpoints, it’s vital that they are able to operate in a secure manner.”

“We’re really excited about where we’re going as a business. It’s all about helping to innovate and create solutions that help people and businesses remain secure and productive. These two key areas of IoT and cybersecurity are really what will be needed in the future for many of these endpoints.”

Posted in Uncategorised

Google will stop tracking you across Android, but not any time soon

Google has launched a multi-year scheme geared towards improving the level of privacy afforded to users of its Android operating system.

During a briefing call hosted by Anthony Chavez, who heads up the Android Security and Privacy division, TechRadar Pro was told about the company’s plans to extend its Privacy Sandbox project to Android devices.

The broad objective is to phase out advertising ID, a tracking system analogous to third-party cookies, and move towards alternatives that limit the sharing of user data with third-parties and do not rely on cross-app tracking to support advertising efforts.

Google will test out its initial proposals over the coming months, with a full public beta expected to arrive before the end of 2022. The company will continue to support the traditional system for at least another two years while it works out the kinks.

Privacy Sandbox on Android

Google first launched the Privacy Sandbox initiative in 2019, in recognition of the fact that the system underpinning its lucrative advertising business (powered by third-party cookies that track people across the web) creates opportunities for invasions of privacy.

A number of browser makers have moved to block third-party cookies outright, but Google contends that this is an irresponsible approach to remedying the problem, because it jeopardizes the business models that make possible the free services and content available online.

Instead, under the Privacy Sandbox scheme, Google is attempting to develop new technologies that improve the level of user privacy without compromising the ability for advertisers to create targeted campaigns and publishers to monetize their work.

“On the web, third-party cookies have been a valuable tool for publishers, developers and advertisers. On Android, the advertising ID plays a similar role. These systems were built a long time ago and have been successful at supporting the mobile and web ecosystems,” explained Chavez.

Android 12 beta update

(Image credit: Shutterstock / quietbits)

“But like with many other technologies that age over time, it’s critical that we evolve and develop new approaches that address the challenges of the current ones.”

However, Chavez was careful to note that creating a privacy-first system that does not kneecap advertising efforts is “incredibly complex” and may take a number of years. He also claimed that a cold turkey approach to technologies such as cookies and advertising ID incentivizes even more opaque tracking methods, such as device and browser fingerprinting.

With its initial proposal for Privacy Sandbox for Android, therefore, Google is aiming to establish a happy medium.

Under the scheme, Android will benefit from existing Privacy Sandbox APIs such as FLEDGE and Topics, which aim to localize ad auctions and collect users into broad interest groups, respectively. The idea is to minimize the amount of personal data swirling around on ad servers and limit the granularity of user profiles.

Unique to Android, meanwhile, is a technology Google is calling the SDK Runtime, which is billed as a safer way for apps to integrate with third-party advertising SDKs that supposedly reduces the potential for covert data collection.

Work in progress

As ever, Google’s arguments are well-formulated and highly compelling. However, if previous Privacy Sandbox proposals offer any indication, privacy activists will likely take issue with at least a few elements of the Android plans once they’ve had a chance to digest.

For example, Google was criticized recently by the company behind privacy-centric web browser Brave over its Topics API. The thrust of the argument was that Google is ill-qualified to determine what data should be classified as sensitive.

“Google says it will take care to share only ‘non-sensitive’ interests with sites. But there is no such thing as categorically non-sensitive data; there is no data that’s always safe and respectful to share,” wrote Peter Snyder, Senior Director of Privacy at Brave.

“Things that are safe to share about one person in one context will be closely guarded secrets to another. Meaningful privacy is inherently specific to both context and person. People should decide what they consider sensitive. Not Google.”

Synder went on to claim that Topics can only be considered an improvement in comparison to the low, low standards set by Google itself. He argues that Topics represents a grievous violation of privacy by any other definition, because it is designed to “share information about you with advertisers and organizations without active permission.”

Unsurprisingly, Google disputes this characterization. But the company has also acknowledged that the complexity of the issue means early Privacy Sandbox proposals are likely to be imperfect, and so will welcome feedback from regulators and industry stakeholders.

“This is the beginning of our journey on Android. We want to share with you what we’re thinking, while being transparent that we may not have the answers to all of your questions,” said Chavez.

“But fundamentally, we believe there is a path that supports both user privacy and a health global ecosystem. To deliver on this objective, we need to build new technologies that provide user privacy by default, while supporting the key advertising capabilities that make it possible for developers and businesses to succeed on mobile.”

  • Here's our list of the best VPN services around
Posted in Uncategorised

GSMA: MWC 2022 will be a ‘very physical show’

The organizer of Mobile World Congress (MWC), the world’s largest mobile technology event, has confirmed that MWC 2022 will be a “very physical show”.

A series of companies (including Lenovo, Asus and Sony) recently announced they would not have a physical presence at MWC 2022 due to concerns over the dangers posed by the Omicron variant. A spokesperson for Intel also told TechRadar Pro the company remains undecided as to whether it will attend in-person.

However, speaking to press ahead of MWC 2022, the GSMA moved to dismiss speculation that the physical show in Barcelona will be watered down in any respect.

MWC 2022 will be ‘physical-first’

The latest edition of MWC is set to kick off on February 28, bringing together many of the largest companies in the mobile industry, from device manufacturers to network operators and more.

According to John Hoffmann and Mats Granryd, CEO and Director General at the GSMA, this year’s show will feature upwards of 1,500 exhibitors from more than 150 countries. There will also be more than 1,000 speakers at the event, 95% of whom will attend in-person.

The pair said they are expecting between 40,000 and 60,000 attendees to descend on the Fira Gran Via exhibition center (as compared with circa 110,000 in 2019, the last pre-pandemic edition), roughly half of whom will be “director-level” decision makers.

Although neither Hoffmann nor Granryd referred explicitly to the brands that have dropped out of the show, it was clear the intention of the press conference was to reiterate the GSMA’s intentions to make MWC 2022 the grand return to in-person events.

“As we’ve always said, health and safety is paramount to MWC. It was pre-pandemic and it is now during the pandemic. We will take the guidance of the health authorities here in Catalonia,” said Hoffman, who also explained that social distancing and mask wearing will be required at the event.

“[But] it’s a year we’ll move back to physical in very broad numbers, and the growth trajectory is exciting.”

Although the GSMA is treating MWC 2022 as a physical-first event, the organization will livestream all keynotes and many panel sessions online, in recognition that the world has not yet completely opened up.

“It’s a global in-person event, augmented with virtual programs delivered to your door,” Hoffman added.

Posted in Uncategorised

It might be time to consider running Ubuntu on your smartphone

The UBports Foundation has rolled out an update for mobile operating system Ubuntu Touch that eliminates a long-standing pain point.

Ubuntu Touch OTA-21, the latest version of the Linux-based OS, delivers a fix for problems with the set-up and synchronization of Google accounts, first encountered by users more than two years ago. Now, however, users should be able to sync their Google calendar and contacts without any issues.

Other changes include a sleek new “Greeter” screen, which is displayed when the smartphone or tablet is about to be unlocked, and an upgrade that allows MMS content to be retrieved when in 2G network mode.

Ubuntu smartphone

Launched in 2013, Ubuntu Touch is billed as the “privacy and freedom-respecting mobile operating system”, an implicit jab at Apple and Google, whose system software dominates the market today.

The open source project was dropped by Canonical in 2017 due to lack of interest, but has been given a new lease of life by the UBports Foundation, with the support of a few thousands volunteer contributors.

While Ubuntu Touch does not offer the same breadth of features, applications or support as iOS and Android, the idea is that users can rest easy in the knowledge their operating system will not harvest their data.

It’s unclear how many people run Ubuntu Touch today, but given the increasing popularity of other types of privacy-preserving services (VPNs, proxies, encrypted email etc.), we would be unsurprised to see an alternative mobile OS gather momentum too.

The latest Ubuntu Touch update is due to land on supported devices (of which there are roughly 40) over the next few days and can be installed via System Settings.

Currently, the OS is still based on Ubuntu 16.04, but the UBports Foundation says work is ongoing to port it over to version 20.04 in future.

Posted in Uncategorised

This Excel malware even forces you to fill out a dreaded CAPTCHA form

Microsoft has identified a new Excel malware campaign that uses a novel technique to bypass traditional antivirus software and other security solutions.

According to the firm, cybercriminal syndicate Chimborazo is distributing a rigged Excel document capable of infecting victims with the password-stealing GraceWire trojan. Before the Excel file is downloaded, however, the victim is asked to fill out a CAPTCHA form, used in legitimate scenarios to establish whether a user is human or not. 

By concealing malware behind a CAPTCHA wall, which in essence requires the user to activate the download manually, hackers are more likely to successfully bypass security systems that scan for automated malware downloads.

Microsoft Excel malware

Microsoft Security Intelligence has reportedly been tracking the work of Chimborazo at least since January, and has dubbed the ongoing Excel malware campaign Dudear.

“CHIMBORAZO, the group behind Dudear campaigns that deploy the info-stealing Trojan GraceWire, evolved their methods once again in constant pursuit of detection evasion,” the team tweeted. “The group is now using websites with CAPTCHA to avoid automated analysis.”

The group has also been seen to distribute the infected Excel file via phishing campaigns and embedded web links. In a number of recent scenarios, phishing emails link out to redirector sites or contain malicious HTML attachments. In all instances, Chimboranza leaned on the CAPTCHA technique to minimize the risk of detection.

While using CAPTCHA to evade security software is not unheard of, neither is it common - and the technique is fast becoming this particular hacking group’s modus operandi.

Chimboranza is expected to continue to adapt its method of malware delivery in the coming months in a bid to maximize infection rates and head off measures put in place by security teams. For this reason, users are advised to exercise caution when downloading unsolicited Excel files - or files of any other type - and to examine CAPTCHA widgets for signs of illegitimacy.

Via Ars Technica

Posted in Uncategorised

Apple says it won’t back down on blocking this popular new app

Apple has reaffirmed its commitment to blocking future updates of new email service Hey for iOS - an app the company says it should never have approved in the first place due to violations of its terms and conditions.

Owned by software company Basecamp, Hey will not be allowed to provide users with updates and patches until Apple is satisfied the service complies with its policies surrounding in-app purchases. Apple will also refuse to push the Hey application to its MacOS store until such a time. 

Currently, users cannot access the Hey iOS app until they have activated a subscription via the Basecamp website. Apple is demanding Basecamp allow Hey users to sign up for the service directly via the app, which would then see Apple qualify for its infamous 30% cut of the subscription fee.

In a letter delivered to Jason Fried, Basecamp CEO, Apple explained the Hey app is in breach of App Store Guidelines 3.1.1, 3.1.3(a) and 3.1.3(b). These clauses dictate that only in a select few scenarios may an app allow users to unlock features or functionalities via a route other than in-app purchases, none of which apply to Hey.

To remedy the violations, Apple has asked the company to revise the app to allow subscriptions to be purchased in-app, or to alter its functionality to allow users to register alternative email accounts with the service. The current subscription model sees users charged for a year’s access to the platform and an @hey.com email address, and does not support alternative providers (such as Gmail).

Having spent two years in development, Hey launched an invite-only preview on the App Store this week. The app is set to go live for public use next month, but uncertainty now looms large over the official launch.

Apple antitrust investigation

Apple’s management of its App Store has come under increased scrutiny this week - and only in part due to the Hey controversy. The company is also facing a major antitrust investigation over its fee structure, which some believe is anti-competitive and serves to squash developers with smaller profit margins.

The EU probe was prompted by a complaint submitted by Spotify last year, which accused Apple of imposing restrictions on rivals to its music streaming service, Apple Music.

Apple has also been accused of inconsistency in the enforcement of the guidelines it is using to deny Hey access to its ecosystem. Neither Amazon nor Netflix, for instance, are required to funnel their subscription processes through their applications.

“Because of the market power that Apple has, it is charging exorbitant rents - highway robbery, basically - bullying people to pay 30 percent or denying access to their market,” explained Rep. David Cicilline, Chairman of the US House antitrust subcommittee.

“It’s crushing small developers who simply can’t survive with those kinds of payments. If there were real competition in this marketplace, this wouldn’t happen.”

David Heinemeier Hansson, Basecamp CTO, took to Twitter to express his dismay over the decision to reject Hey’s appeal, with Fortnite developer Epic Games and Tinder parent company Match Group chiming in to offer support.

“Wow. I’m literally stunned. Apple just doubled down on their rejection of HEY’s ability to provide bug fixes and new features, unless we submit to their outrageous demand of 15-30% of our revenue. Even worse: we’re told that unless we comply, they’ll REMOVE THE APP (sic),” Hansson tweeted.

Despite the mounting opposition to its ‘Apple Tax’ and wider gatekeeping practices, Apple reportedly has no intention of altering course or amending the rulebook.

Via The Verge

Posted in Uncategorised

It turns out coronavirus malware wasn’t even that big a deal

Although coronavirus-related cyberattacks received significant attention early in the pandemic, Microsoft believes the threat posed was largely overstated.

A new blog published by the Microsoft Threat Intelligence Protection Team outlines how the volume of malware threats detected worldwide did not vary significantly during the pandemic, and coronavirus malware accounted for “barely a blip" in the total volume recorded

Microsoft claims opportunistic malware and phishing attacks began after the World Health Organization (WHO) first started using the title “Covid-19” in February. These attacks peaked, however, in early March and have since settled into a consistently low cadence.

Coronavirus malware

According to Microsoft, cybercriminals are by nature opportunists; lures change frequently and fluidly, but the underlying malware remains consistent.

During the peak of the crisis, hackers deployed bespoke attacks in each territory, attaching malware campaigns to events of specific local concern.

In the UK, for example, coronavirus malware attacks peaked after the first confirmed death and again following the FTSE 100 crash and introduction of the US travel ban.

However, while the number of coronavirus-related cyberattacks spiked at various junctures, the overall number of cyberattacks shifted little from the usual rate, suggesting cybercriminals altered planned attacks rather than launching entirely new campaigns.

“Covid-19-themed attacks are just a small percentage of the overall threats Microsoft has observed over the last four months,” reads the blog post. “Based on the overall trend of attacks it appears that the themed attacks were at the cost of other attacks in the threat environment.”

The best defence against the kinds of opportunistic, localized attacks identified over the past few months, according to Microsoft, is an emphasis on training end users how to spot phishing and social engineering attacks - as well as a commitment password best practices.

“Defender investment is best placed in cross-domain signal analysis, update deployment and users education...Investments that raise the cost of attack or lower the likelihood of success are the optimal path forward,” Microsoft noted.

Posted in Uncategorised

Hundreds of millions of smart devices at risk of attack

Security researchers have discovered nineteen distinct security vulnerabilities in code designed upwards of 20 years ago, reportedly present in hundreds of millions of internet-connected devices.

The vulnerabilities were discovered by Israeli security firm JSOF and are found in a popular code library developed by Canada-based software company Treck. The code is designed to manage the TCP-IP protocol, which is responsible for connecting a device with a network, whether local or public.

Treck’s code is present in all manner of connected devices, including routers, printers, smart home devices, datacenter and powergrid equipment, commercial aircraft, satellite communications kit and a range of business software.

According to the researchers, the flaws could allow hackers to execute code on a target device, or even disable it entirely. Given the range of devices that utilize the Treck code library, the risk of exploitation is considerable.

Ripple 20 vulnerabilities

The nineteen bugs have been collectively termed Ripple20, named after the mechanism by which they found their way into so vast a range of equipment, across such a breadth of industries.

“Not that many people have heard of this company, but they are a leading provider of TCP-IP stacks, so they’re at the beginning of a really complex supply chain,” said Schlomi Oberman, JSOF CEO.

“The vulnerabilities in the stack got amplified by the ripple effect of the supply chain, so that they exist in pretty much any type of connected device.”

This “ripple” effect has also given rise to concerns that many affected devices might never be identified - and will therefore remain vulnerable.

Accordingly to Oberman, while a number of the vulnerabilities pose a less distinct threat, a handful could be used to cause serious damage.

The US Department of Homeland has verified his claims, scoring four of the Ripple20 vulnerabilities either 9.8 or 10 on the severity scale (which slides from 1 to 10) in an advisory published today.

If abused, these four flaws could allow botnet operators or individual attackers to hijack affected devices and equipment, which could have particularly significant consequences in the industrial and healthcare sectors, for example.

Despite initial hesitance to engage with JSOF, Treck has now acknowledged the bugs and published patches for all Ripple20 vulnerabilities.

“We’ve recently been made aware of an independent security researcher’s work that resulted in the the reporting of a group of vulnerabilities, of which Treck acted upon immediately,” said Treck.

“Treck has fixed all issues that were reported and made them available to our customers either through our newest code release, or patches.”

Companies are advised to test for the presence of Ripple20 vulnerabilities immediately, prioritizing the four most critical.

Via ZDNet and WIRED

Posted in Uncategorised

AWS believes it’s time to go all-in on cloud

Amid unprecedented demand for cloud-based services brought about by the coronavirus pandemic, cloud computing giant AWS is calling for businesses to embrace the new world order and to redouble digital transformation efforts.

Speaking at AWS Summit Online 2020, both AWS CEO Andy Jassy and Amazon CTO Werner Vogels were bullish about the opportunity represented by the cloud, including the necessary agility to respond quickly to macro events like the pandemic.

The pair also touched on the novel challenges businesses have surmounted, such as the need to rapidly scale cloud-based systems to support both a newly remote workforce and - for the likes of Zoom and Netflix - a massive surge in end user demand. None of this, AWS is quick to point out, would have been possible without cloud infrastructure.

"These last few months have ushered in a new era in technology...accelerating a path towards a world we predicted many years ago,” said the ever-ebullient Vogels.

“In 2020 and beyond, most organizations will transform into a completely cloud-based environment, where any worker can access any application from anywhere at any time.”

Cloud computing

The pandemic has undeniably emphasized the dependence of both businesses and consumers on the cloud. 

Almost all services that have supported people during the pandemic are underpinned by cloud infrastructure, from content streaming and online gaming to video conferencing, file-sharing, e-learning and telehealth.

However, despite the flexibility and scalability on offer, AWS CEO Andy Jassy says he still recognizes a reluctance in businesses to shift away from legacy infrastructure; “gravity-fighters” and “toe-dippers”, he calls them.

“There’s still a segment of companies who are trying to fight gravity. They argue they can still do the infrastructure less expensively than in the cloud...Often they’re proud of the infrastructure they’ve built, or it’s about the notion of ‘if it ain’t broke, don’t fix it’,” said Jassy.

“At the end of the day, you can want something not to happen all you want, but you can’t fight gravity. If something is really good for customers and businesses, it’s going to move that way.”

Jassy also dismissed the notion that size prevents large-scale enterprises from innovating as quickly as smaller, more agile businesses might.

“I believe certain companies have harder challenges than others in the ability to move and organize quickly, but I do not believe that any company can’t move quickly.” 

“In every single business, if you’re not moving quickly, you’re going to find yourself chasing [competitors] as opposed to leading. It’s up to us as leaders not to accept the world as it has been, but to actually change the world.”

As the business environment becomes increasingly decentralized and workforces increasingly dispersed, thanks in no small part to the cloud, AWS is “optimistic about the future”. But that vision is contingent on a willingness among businesses to embrace the cloud-centric future the company has painted.

Posted in Uncategorised

Microsoft Azure reveals host of cloud improvements

Microsoft has revealed it was forced to take swift action in response to phenomenal demand for its Azure cloud services during the early stages of the pandemic.

According to a new blog post published by the firm, in order to ensure Microsoft Azure was able to support the efforts of front-line services and the many businesses forced to transition to a remote model, datacenter staff worked “round-the-clock” installing new servers. Product teams, meanwhile, hunted for efficiency gains to free up resources and capacity for customers.

With the epicenter of demand positioned in central Europe, the company doubled the capacity on one of its own transatlantic undersea web cables, and arranged for the operator of another to allocate additional capacity to Azure customers.

Microsoft also shifted internal Azure workloads to take place outside of peak hours in different territories, funnelling traffic away from regions experiencing high demand.

Microsoft Azure pandemic response

Microsoft said that while its cloud service is designed to expand and contract with demand, challenges posed by the pandemic were unlike any the Azure team had previously encountered.

“The scope and scale of the response to Covid-19 was completely unprecedented, in terms of how much the world went digital inside a month,” said Mark Simms, a software architect involved in managing the Azure response.

“So the work that we had to do to get through the initial surge in demand and free up capacity for our customers to run critical health and safety workloads was also unprecedented. We made some pretty profound changes in order to do the right thing, and we did them under a very short time frame.”

From a business perspective, demand for Microsoft Teams skyrocketed, but so too demand for services such as Windows Virtual Desktop and Azure Active Directory’s Application Proxy as organizations came to terms with securing a remote workforce.

To handle this surge, Microsoft boosted the capacity of its fiber optic network by 110 terabits over two months, and also added 12 edge sites to minimize congestion.

The firm also used data from China and Italy, two countries that suffered high coronavirus incidences early in the pandemic, to map out anticipated effects on traffic as the virus spread across the globe.

“Normally, you find and fix issues organically as you grow. When you take software and put it under explosive growth - with services getting used an order of magnitude more in one day - you tend to find all of those in a really short period of time,” explained John Sheehan, Microsoft Distinguished Engineer for Azure Quality.

Having scaled and stabilized the service, Microsoft has now turned its focus to unearthing micro efficiencies to better support Azure’s increasingly wide customer base.

Posted in Uncategorised

YouTube and Netflix are the favorite procrastination tools of remote workers

Analysis of aggregated VPN traffic data has shown that the vast majority of remote workers are using corporate devices for entertainment purposes.

A study by NetMotion Software found that more than three quarters (74%) of employees are streaming video content on popular platforms such as YouTube and Netflix via company-owned devices.

YouTube is far and away the most popular service with the remote workforce, accounting for 71% of streaming activity, followed by Netflix (14%) and Hulu (9%).

The findings raise concerns that the widespread shift to remote working could be having a negative effect on employee productivity - and on cybersecurity.

Remote working productivity

Designed to assess the changes in worker behavior and device usage brought about by the pandemic, the study found that a significant amount of time is spent streaming content via corporate devices.

NetMotion Software say that one fifth of workers are spending more than 10 hours per week streaming content on entertainment platforms, while 45% are streaming video content for 5-10 hours per week.

Almost a third, meanwhile, admitted to accessing non work-related content via corporate devices during the working day, highlighting a potential productivity drain.

Beyond video streaming, NetMotion believes workers could be using company-owned devices to access all manner of platforms and services, some of which could pose a threat to security.

“With the majority of employees now working remote, IT teams appear to be struggling to gain visibility into how their devices are being used,” reads the report.

“If they aren’t able to see or limit the use of corporate-owned devices for relatively harmless activities like streaming YouTube content, then they also cannot determine whether employees are engaging in potentially risky behavior, such as visiting unsuitable or unsavory websites that may introduce malware into the network.”

To mitigate against threats of this kind, the report advocates a shift towards decentralized and zero trust architectures, which are better aligned with remote-first environments than traditional network-centric approaches.

Posted in Uncategorised