Another year, another Pixel. It’s no surprise that Google is planning on releasing the Pixel 9, 9 Pro, and Watch 3 at some point this fall. Every tech company refreshes their smartphones at least once a year. What’s surprising is the event is happening earlier than ever in 2024.

As reported by The Verge, Google just sent out invites for its Made by Google hardware event. Google says the event will focus on Google AI, Android, and, of course, the “Pixel portfolio of devices.” While this event is usually held in September, Google is inviting people to an August announcement—Aug. 13, to be specific.

The event kicks off at 10 a.m. PT (1 p.m. ET), which is pretty standard for these tech events. But the advanced date is curious: Why is Google announcing these things a whole month earlier than usual? It’s possible it’s Google’s way of getting around rumors and leaks: Pixels tend to be leaked in their entirety by the time Made by Google rolls around, to the point where anyone keeping up with the rumors knows just about everything Google is announcing.

That said, we do have rumors about the Pixel 9, so that strategy might not be working: According to the leaks, Google is planning to pull an Apple and release four different Pixel models: a 9, a 9 Pro, a 9 Pro XL, and a 9 Pro Fold. It's also expected that the Pixels will come with the G4 Tensor chip, Google latest generation SoC. These devices will replace the current Pixel 8 and Pixel 8 Pro, as the Pixel Watch 3 will replace the Watch 2.

In addition to hardware, Google will share announcements about its latest AI features and developments, as well as Android 15, which is currently in beta testing. It will be interesting to see what the company has planned for these announcements, as their latest AI endeavor, AI Overviews, didn't have the best of rollouts.

Because Google has only sent out invites to the event thus far, we don't know for certain how the company plans to stream the event for the rest of us. However, more than likely, Google will host a live stream of Made by Google on the company's YouTube page. If you want to see these announcements live, tune into YouTube.

Earlier this month, Google issued a security update for its line of Pixel smartphones, issuing patches for 45 vulnerabilities in Android. Security updates aren't as flashy as Feature Drops, and so users might not feel as inspired to update their Pixels right away. This update, however, is one you should install ASAP.

As it turns out, among those 45 patched vulnerabilities, is one particularly dangerous one. The flaw is tracked as CVE-2024-32896, and is an escalation of privilege vulnerability. These flaws can allow bad actors to gain access to system functions they normally wouldn't have permission for, which opens the door to dangerous attacks. While most of these flaws are usually caught before bad actors learn how to exploit them, the situation with CVE-2024-32896 isn't so fortunate: In the security notes for this security update, Google says, "There are indications that CVE-2024-32896 may be under limited, targeted exploitation."

That makes this vulnerability an example of a "zero-day" issue—a flaw that bad actors know how to take advantage of before there a patch is made available to the general public. Every Pixel that doesn't install this patch is left vulnerable to malicious users who know about this issue, and want to exploit it.

Google hasn't disclosed any additional information about CVE-2024-32896, so we don't know much about how it works—that said, it sounds like a particularly nasty vulnerability. In fact, Forbes reports that the United States government has taken note of the issue, and has issued a July 4 deadline for any federal employees using a Pixel: Update your phone, or "discontinue use of the product."

GrapheneOS, who develops an open source privacy-centric OS for smartphones, says that the patch for CVE-2024-32896 is actually the second half of a larger fix: In April, Google patched CVE-2024-29748, and according to GrapheneOS, both were targeted to patch vulnerabilities forensic companies were exploiting.

This Tweet is currently unavailable. It might be loading or has been removed.

How to patch your Pixel

To install this security patch on your Pixel, head to Settings > System > Software update. When the update is available, you can follow the on-screen instructions to install it. Alternatively, you can ask Google Assistant to "Update my phone now."

If you're looking to upgrade to a new Pixel Pro phone, it's not a bad time. Currently, both the Google Pixel 7 Pro and Pixel 8 Pro are available at their lowest prices yet for unlocked devices, per price-tracking tools. The 256 GB Pixel 7 Pro is $435 on Amazon, while the 128 GB Pixel 8 Pro is $649 at Best Buy.

5G Android Phone - Unlocked Smartphone with Telephoto/Wide Angle Lens, and 24-Hour Battery - 256GB

Google Pixel 7 Pro

$0.00 at Amazon

Get Deal

Get Deal

$0.00 at Amazon

Unlocked Android Smartphone with Telephoto Lens and Super Actua Display - 24-Hour Battery - Obsidian

Google Pixel 8 Pro

$649.00 at Best Buy

$999.00 Save $350.00

Get Deal

Get Deal

$649.00 at Best Buy

$999.00 Save $350.00

SEE -1 MORE

Google Pixel 7 Pro

If you're looking for a reliable phone with a great camera, long battery life, powerful software tools, and a nice screen, the Google Pixel 7 Pro ticks all of your boxes. The 7 Pro came out in October 2022, and our friends at PCMag named it the best Android phone on the market in their "excellent" review. Back in May, Woot sold the 256GB version for $439.99, which was even cheaper than holiday deals from 2023, and the current price is $5 below that.

Google Pixel 8 Pro

If you're looking for the latest Pixel with a more powerful CPU, higher screen resolution, slightly better resolution rear camera, and the latest AI features, spring for the Pixel 8 Pro. The extra $214 gets you the Google Tensor G3 CPU with AI capabilities, letting you take advantages of a range of features unique to the Pixel 8 Pro, like AI-powered photo edits, magic eraser, instant summaries, and more. (Check out PCMag's "excellent" review if you'd like to learn more.)

Regardless of which phone you choose, you'll be getting great value for your money and a great phone that will last many years. As Google continues to offer even older Pixels security fixes and quarterly feature updates (including, recently, the new "circle to search" capability), your Pixel will remain relevant for years to come.

Google is finally expanding the number of Android phones that can access Gemini through Google Messages. Previously, the feature was only available on certain Pixel devices, as well as Samsung Galaxy devices including foldables and the Galaxy S22 and beyond.

Now, Google has updated its help pages to indicate that the feature is finally available on a wider selection of Android phones, though there are still a few important requirements that you’ll need to meet first.

Most importantly, you’ll need to have an Android device with 6GB or more RAM. This, unfortunately, rules out some of the cheaper options out there. However, considering that many mid-range devices have 6GB to 8GB of RAM these days, it should hopefully put Gemini in a lot more hands. Additionally, Google says that you will need to be 18 or older and have RCS messaging turned on.

You’ll also need to be logged into the latest version of Messages with a personal account that isn’t managed by Family Link or a Google Workspace account, and be in one of the 165 countries that Gemini supports.

If you meet these requirements, you should then be able to take advantage of Google-powered AI directly in your Android phone’s messaging app.

How to use Gemini in Google Messages

Using Gemini in Messages is a lot like talking to your friends. If this is your first time talking to Gemini in Messages, just open the Messages app, tap Start Chat, and choose Gemini as the recipient. If you have started a chat before, simply tap on the chat to continue it.

With the chat open, you can begin sending requests and asking questions of the AI-powered chat bot. Gemini in Messages works very similarly to how it does on the web, so don’t be afraid to experiment with its various capabilities.

Sometimes you’ll see the term “overlays” used in articles about malware and you might wonder what they are. In this post we will try to explain what overlays—particularly on Android devices—are, and how cybercriminals deploy them.

Most of the time, overlays are used to make people think they are visiting a legitimate website or using a trusted app while in reality they are not.

Simply put, the Android overlay is a feature used by an app to appear on top of another app. The legitimate use of overlays is to offer functionality to the app’s user without them having to leave the app itself, for example for messages or alerts, such as Android bubbles on Messenger.

The possible malicious use of overlays, then, is not hard to guess. Overlays can be used to draw a full window on top of a legitimate app and, as such, intercept all the interactions the user has with the app. But they can also be superimposed over certain critical areas of an app like the text in a message box.

Some examples of malicious uses of overlays:

• Requesting permissions under false pretenses, malicious apps can hide their requests by covering the legitimate app’s permissions text.
• Clickjacking, where a user is tricked into clicking on actionable content thinking they are interacting with a legitimate app.
• Intercepting information like login credentials and even some multi-factor authentication (MFA) tokens, by making the user think they are entering them on a legitimate app or website.

Whether the overlays are transparent or whether they mimic the legitimate app does not influence the way they work. As long as they blend with the original application’s interface, they are incredibly hard to spot.

Most of the time, a malicious overlay’s goal is to intercept certain user data which enables cybercriminals to steal money or cryptocurrencies. This is why many banking apps have protection in place. In modern Android versions, developers can successfully block any non-system Android overlay to protect against overlay attacks.

Protection against overlays

As we said, screen overlay attacks are most common on Android devices, and they are a significant threat, so we will explain how you can check which apps have the permission to use overlays and how you can disable it.

Tap Settings > Apps > Options (three stacked dots) > Special access > Appear on top. Here you can see a list of apps with the permission to “Appear on top” and you can disable the ones you don’t recognize or don’t need to have this permission.

Using an anti-malware solution for your Android device will be effective against known malicious apps. You can uninstall these apps using the mobile device’s uninstall functionality, but the tricky part lies in identifying the offending behavior and app. That is where Malwarebytes for Android can help—by identifying these apps and removing them.

It also helps to use authentication methods which are harder to phish. MFA is vital to enable, and will protect you from many types of attacks, so please continue to use it. However, authentication-in-the-middle attacks only work with certain types of MFA, and passkeys for example won’t allow the cybercriminals to login to your account in this way.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Google has been working to update how it handles text-to-speech (TTS) in Chrome on Android for a few months now. The feature was first noticed in beta in January, but now appears to be rolling out to more users with Chrome 125. Though it is still not fully ready just yet, 9to5Google reports, you can already enable it if you don't already have it.

Previously, to have your smartphone read webpages to you, you’d normally have to rely on Google Assistant on Android and Siri (plus Safari) on iPhone. While the new Listen to Page feature doesn’t appear to be coming to iOS anytime soon, it’s still nice to see Google baking this accessibility feature into Chrome itself.

9to5Google says that the new function appears to work on most text-heavy websites. However, you’ll need to wait for the page to fully load and then access the option from the three dot menu at the top of Chrome. If you don’t see the feature listed, just activate it through the Chrome flag chrome://flags/#read-aloud. Enter the bold text into the URL bar, press enter to access the settings, and turn it on.

On top of reading webpages to you, the feature also comes with various controls, including options for playback speed as well as the ability to highlight text and turn on auto-scroll. Google has also included several voice options, including selections for U.S., U.K., Indian, and Australian English voices. There are also several different pitches available to provide a more warm, calm, bright, or peaceful tone.

The control bar for the TTS feature will remain docked even if you open additional tabs, and playback will continue if you lock your device. However, if you close the browser—or even push it to the background for any reason—the reading will end. The feature also appears to be available in Chrome Custom Tabs, and it can be set as a toolbar shortcut to help avoid scrolling through the menu looking for it.

As it hasn’t officially rolled out (any access you might have right now is a preview), the feature is likely still being worked on in some fashion. As such, Google may make more changes—or even add new features—before fully releasing it. If you'd rather wait for the full release, Google’s Reading mode app remains a great alternative.

Google has notified Pixel users about an actively exploited vulnerability in their phones’ firmware.

Firmware is the code or program which is embedded into hardware devices. Simply put, it is the software layer between the hardware and the applications on the device.

About the vulnerability, Google said there are indications it may be:

“under limited, targeted exploitation.”

This could mean that the discovered attacks were very targeted, for example by state-sponsored actors or industry-grade spyware. However, it’s still a good idea to get these patches as soon as you can. And whether you have a Pixel or not, all Android users should make sure they’re using the latest version available, because the June 2024 security update addresses a total of 50 security vulnerabilities.

Updates to address this issue are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.

For these Google devices, security patch levels of 2024-06-05 or later address this issue. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You should get notifications when updates are available for you, but it’s not a bad idea to manually check for updates. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for this vulnerability is:

CVE-2024-32896: an elevation of privilege (EoP) issue in Pixel firmware.

An elevation of privilege vulnerability occurs when an application gains permissions or privileges that should not be available to them. This can be a key element in an attack chain when a cybercriminal wants to move forward from initial access to a device to a full compromise.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The June Pixel Feature Drop update has officially begun rolling out to Pixel users around the world. This month’s Feature Drop includes a slew of new updates for the Pixel 8 series—all the way from the 8 Pro to the cheaper 8a—as well as updates for the Pixel Watch 2 and even some older Pixel devices. Here’s what you can expect from this month’s big update.

First and foremost, it’s time to talk about Gemini. While Google has gone back and forth about Gemini’s availability on Pixel 8 in the past, the company’s latest claims that it would indeed come to the base Pixel 8 and the even cheaper Pixel 8a have finally come to fruition. We’ve already shown you how to enable Gemini on Pixel 8 and 8a—it’s enabled by default on the 8 Pro, so you don’t have to do anything extra. With the June Feature Drop, some Gemini Nano features are finally launching, starting with Summarize in Recorder—which can now detect and export transcripts of recordings into text files or even Google Docs.

Google has also added support for DisplayPort on all three Pixel 8s, allowing users to connect their phones to a second display via USB-C cable. This means you can now showcase your favorite movies or videos on the big screen, and some have speculated it could mean a desktop mode is in the works, too, which could resemble Samsung DeX, which allows you to turn your phone or tablet into a desktop computer in a way.

Another big feature—and one that I hope we’ll see added to other phones in the future—is Reverse Phone Number Lookup. Now, whenever an unknown number hits your recent call log, you can simply tap on it a couple of times, and Google will automatically perform a Google Search to look up the number and try to provide you with more information about it. It isn’t foolproof by any means, but it’s something I’m surprised we haven’t seen in phones already.

We already knew Google was making big changes to its Find My Device network, including making the Pixel 8, Pixel 8 Pro, and Pixel 8a detectable even when powered off. Now, Google has officially made the feature available, which could be enough to justify downloading the update on its own.

On the camera side of things, Pixel devices from the Pixel 6 up to the Pixel Tablet will now be able to automatically identify the best moment for your photo to be captured in HDR+ just with a single shutter press. This is just another way that Google continues to set its camera apart from other smartphone cameras.

The tech giant has also added manual lens picking on the Pixel 6 Pro, Pixel 7 Pro, Pixel 8 Pro, and Pixel Fold, allowing you to manually touch which camera you want to use at any given time. This should make it easier for photo-savvy users to customize their shots, instead of relying on Google to determine which camera is best.

Finally, Google has rolled out a new Google Home Favorites widget, giving you customizable smart home controls directly on your smartphone or tablet. Additionally, the company has brought Doorbell notifications to the Pixel Tablet when it's docked in hub mode, giving you a better view of who is at your door.

That's all the big changes coming to tablets and phones, but it's not everything. There's also new features for Pixel Watch and Pixel Watch 2. Perhaps the biggest additions are Car Crash Detection and Bicycle Fall Detection on the Pixel Watch 2. These will allow the watch to detect if you’ve fallen or been in a car crash and then will ask if you’re okay before calling emergency services or contacts.

Google Wallet has also received a minor upgrade on Pixel Watch, as Paypal has officially arrived for it. This, of course, isn’t just a Pixel-only thing, as Google announced the online payment service would be joining Google Wallet across Wear OS last month.

The last big feature coming to Pixel Watch is a new update for Google Home. This brings a new watch face complication and Wear OS tile to the watch. This should give you more control over your various smart home items. Again, this isn’t a Pixel-only thing, as the feature was previously available on other Wear OS devices. This is, however, the first time it’ll appear on Pixel Watch.

Android’s June 2024 security update resolves 37 vulnerabilities, including high-severity flaws in Framework and System.

The post 37 Vulnerabilities Patched in Android appeared first on SecurityWeek.

Android devices come with location services. Some apps need access to location services to function properly. However, there may be reasons why you don’t want your device to be located, often because you don’t want to be found and the device is always with you.

Depending on who you are trying to hide your location from, there are several levels of hiding your location.

Disclaimer: the exact instructions for your make and model of Android device may look a bit different.

Turn off location for particular apps

There are apps active on most Android devices that could give away the location of the device. To check which apps have access to your device’s location:

• Swipe down from the top of the screen.
• Find the Location icon
• Touch and hold Location.
• Tap App location permissions.
• Under Allowed all the time, Allowed only while in use, and Not allowed, find the apps that can use your device’s location.
• To change the app’s permissions, tap it. Then, choose the location access for the app.
• If you see any apps that you don’t recognize, be sure to turn the permission off.

Turn off location entirely

Alternatively, you can turn Location off entirely:

• Swipe down from the top of the screen.
• Find the location icon
• If it’s highlighted, tap it to turn it off.
• You’ll see a warning that some apps may not function properly. Confirm by tapping Close.

Turn off Find My Device

Find My Device is a service which makes your device’s most recent location available to the first account activated on the device. Find My Device is included with most Android phones, and it’s automatically turned on once you add a Google account to your device.

How to turn off Find My Device:

• Open Settings.
• Tap (Biometrics &) Security.
• Tap Find My Device, then tap the switch to turn it off.

Turning off Find My Device may backfire if you ever truly need to find your device because you lost it. But if someone may have the login credentials for the Google account associated with the phone, you may want to turn it off.

The last resort is to turn your phone off.

Even in airplane mode, GPS on your phone is still working. As long as a phone isn’t turned off, it’s possible to track the location because the device sends signals to nearby cell towers. Even when it’s turned off, the service provider or internet provider can show the last location once it’s switched back on.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattletale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattletale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

“pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

Removing stalkerware

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1. Open your Malwarebytes dashboard
2. Tap Scan now
3. It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

• Uninstall. The threat will be deleted from your device.
• Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
• Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Some of our loyal readers may remember my little mishap when I was able to track my wife by accident after inadvertently adding myself to her phone as a user.

For exactly that reason we want to warn against sharing devices and at least show you how to remove other people’s accounts from your device.

The steps may be slightly different depending on your Android version, device type, and vendor, but most users should be able to follow these steps.

For the primary user:

• Open Settings
• Tap System > Multiple users.

If you can’t find this setting, try searching your Settings app for users.

• Tap the name of the user you want to remove.
• Tap Delete user > Delete. If successful, the user will be removed from the list.
• If you want to stay the only user, you can turn the Multiple users feature off.

If you’re not the primary user (you can’t delete the primary user):

• Under Multiple Users tap More (three stacked dots).
• Tap Delete [username] from this device. Important: You can’t undo this.
• The device will switch to the owner’s profile.

Note: Android devices allow two types of additional users:

• Secondary user: This is any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.
• Guest user: Temporary secondary user. Guest users have an explicit option to quickly delete the guest user when its usefulness is over. There can be only one guest user at a time.

Another privacy issue can be caused by having additional accounts on the device. Accounts are contained within a user but are not linked to a particular user. The tracking issue I discussed was caused by adding one of my Google accounts to my wife’s phone.

To remove unwanted accounts:

• Under Settings, tap on Accounts and Backups
• Then tap on Manage Accounts
• Select the account you want to remove and you will see the option to do that.

If you’re having trouble finding any of these settings on your specific Android device, reach out through the comments and when we can, we’ll add as many specific instructions as possible to the post.

Google released Android 15 beta 2 today, and with it, they unveiled some more of the new features coming to Android later this year when the final release lands. Android 15 comes with something called a private space, an area with an extra layer of authentication where you can keep applications and data hidden away, such as banking applications or health data. It’s effectively a separate user profile, and shows up as a separate area in the application drawer when unlocked. When locked, it disappears entirely from sight, share sheets, and so on.

Another awesome new feature is Theft Detection Lock, which uses Google “AI” to detect when a phone is snatched out of your hands by someone running, biking, or driving away, and instantly locks it. Theft like this is quite common in certain areas, and this seems like an excellent use of “AI” (i.e., accelerometer data) to discourage thieves from trying this.

There’s also a bunch of smaller stuff, like custom vibration patterns per notification, giving applications partial access to only your most recent photos and videos, system-wide preferences for which gender you’d like to be addressed as in gendered languages (French gets this feature first), and a whole lot more.

Developers also get a lot to play with here, from safer intents to something like ANGLE:

Vulkan is Android’s preferred interface to the GPU. Therefore, Android 15 includes ANGLE as an optional layer for running OpenGL ES on top of Vulkan. Moving to ANGLE will standardize the Android OpenGL implementation for improved compatibility, and, in some cases, improved performance. You can test out your OpenGL ES app stability and performance with ANGLE by enabling the developer option in Settings -> System -> Developer Options -> Experimental: Enable ANGLE on Android 15.

↫ Android developer blog

You can install Android 15 beta 2 on a number f Pixel devices and devices from other OEMs starting today. I installed it on my Pixel 8 Pro, and after a few hours I haven’t really noticed anything breaking, but that’s really not enough time to make any meaningful observations.

Google also detailed Wear OS 5.

Later this year, battery life optimizations are coming to watches with Wear OS 5. For example, running an outdoor marathon will consume up to 20% less power when compared to watches with Wear OS 4. And your fitness apps will be able to help improve your performance with the option to support more data types like ground contact time, stride length and vertical oscillation.

↫ Android developer blog

Wear OS 5 will also improve the Watch Face Format with more complications, which is very welcome, because the selection of complications is currently rather meager. Wear OS 5 will also ship later this year.

Google I/O, the company’s developer conference, started today, but for the first time since I can remember, Android and Chrome OS have been relegated to day two of the conference. The first day was all about “AI”, most of which I’m not even remotely interested in, except of course where it related to Google’s operating system offerings.

And the company did have a few things to say about “AI” on Android, and the general gist is that yeah, they’re going to be stuffing it into every corner of the operating system. Google’s “AI” tool Gemini will be integrated deeply into Android, and you’ll be able to call up an overlay wherever you are in the operating system, and do things like summarise a PDF that’s on screen, summarise a YouTube video, generate images on the fly and drop them into emails and conversations, and so on.

A more interesting and helpful “AI” addition is using it to improve TalkBack, so that people with impaired vision can let the device describe images on the screen for them. Google claims TalkBack users come across about 90 images without description every day (!), so this is a massive improvement for people with impaired vision, and a genuinely helpful and worthwhile “AI” feature.

Creepier is that Google’s “AI” will also be able to listen along with your phone calls, and warn you if an ongoing conversation is a scamming attempt. If the person on the other end of the line claiming to be your bank asks you to move a bunch of money around to keep it safe, Gemini will pop up and warn you it’s a scam, since banks don’t ask you such things. Clever, sure, but also absolutely terrifying and definitely not something I’ll be turning on.

Google claims all of these features take place on-device, so privacy should be respected, but I’m always a bit unsure about such things staying that way in the future. Regardless, “AI” is coming to Android in a big way, but I’m just here wondering how much of it I’ll be able to turn off.

Now that Android – since version 13 – ships with the Android Virtualisation Framework, Google can start doing interesting things with it. It turns out the first interesting thing Google wants do with it is run Chrome OS inside of it.

Even though AVF was initially designed around running small workloads in a highly stripped-down build of Android loaded in an isolated virtual machine, there’s technically no reason it can’t be used to run other operating systems. As a matter of fact, this was demonstrated already when developer Danny Lin got Windows 11 running on an Android phone back in 2022. Google itself never officially provided support for running anything other than its custom build of Android called “microdroid” in AVF, but that’s no longer the case. The company has started to offer official support for running Chromium OS, the open-source version of Chrome OS, on Android phones through AVF, and it has even been privately demoing this to other companies.

At a privately held event, Google recently demonstrated a special build of Chromium OS — code-named “ferrochrome” — running in a virtual machine on a Pixel 8. However, Chromium OS wasn’t shown running on the phone’s screen itself. Rather, it was projected to an external display, which is possible because Google recently enabled display output on its Pixel 8 series. Time will tell if Google is thinking of positioning Chrome OS as a platform for its desktop mode ambitions and Samsung DeX rival.

↫ Mishaal Rahman at Android Authority

It seems that Google is in the phase of exploring if there are any OEMs interested in allowing users to plug their Android phone into an external display and input devices and run Chrome OS on it. This sounds like an interesting approach to the longstanding dream of convergence – one device for all your computing needs – but at the same time, it feels quite convoluted to have your Android device emulate an entire Chrome OS installation.

What a damning condemnation of Android as a platform that despite years of trying, Google just can’t seem to make Android and its applications work in a desktop form factor. I’ve tried to shoehorn Android into a desktop workflow, and it’s quite hard, despite third parties having made some interesting tools to help you along. It really seems Android just does not want to be anywhere else but on a mobile touch display.

Although Google has shown significant progress in recent weeks in improving RISC-V support in Android, it seems that we’re still quite a bit away from seeing RISC-V hardware running certified builds of Android. Earlier today, a Senior Staff Software Engineer at Google who, according to their LinkedIn, leads the Android Systems Team and works on Android’s Linux kernel fork, submitted a series of patches to AOSP that “remove ACK’s support for riscv64.” The description of these patches states that “support for risc64 GKI kernels is discontinued.”

↫ Mishaal Rahman

Google provided Android Authority with a statement, claiming that Android will continue to support RISC-V. What these patches do, however, is remove support for the architecture from the Generic Kernel Image, which is the only type of kernel Google certifies for Android, which means that it is now no longer possible to ship a certified Android device that uses RISC-V. Any OEM shipping a RISC-V Android device will have to create and maintain its own kernel fork with the required patches. This doesn’t seem to align with Google’s statement.

So, unless Google intends to add RISC-V support back into GKI, there won’t be any officially certified Android devices running on RISC-V. Definitely an odd chain of events here.

Today we’re taking the next step toward our vision for a more open computing platform for the metaverse. We’re opening up the operating system powering our Meta Quest devices to third-party hardware makers, giving more choice to consumers and a larger ecosystem for developers to build for. We’re working with leading global technology companies to bring this new ecosystem to life and making it even easier for developers to build apps and reach their audiences on the platform.

[…]

Meta Horizon OS is the result of a decade of work by Meta to build a next-generation computing platform. To pioneer standalone headsets, we developed technologies like inside-out tracking, and for more natural interaction systems and social presence, we developed eye, face, hand, and body tracking. For mixed reality, we built a full stack of technologies for blending the digital and physical worlds, including high-resolution Passthrough, Scene Understanding, and Spatial Anchors. This long-term investment that began on the mobile-first foundations of the Android Open Source Project has produced a full mixed reality operating system used by millions of people.

↫ Facebook’s blog

In summary, Facebook wants the operating system of their Quest series of virtual reality devices – an Android Open Source Project fork optimised for this use – to become the default platform for virtual reality devices from all kinds of OEMs. Today, they’re announcing that both Asus and Lenovo will be releasing devices running this Meta Horizon OS, with the former focusing on high-end VR gaming, and the latter on more general use cases of work, entertainment, and so on. Facebook will also be working together with Microsoft to create a Quest “inspired by Xbox”.

The Meta Quest Store, the on-device marketplace for applications and games, will be renamed to the Meta Horizon Store, and the App Lab, where developers can more easily get their applications and games on devices and in the hands of consumers as long as they meet basic technical and content guidelines, will be integrated into the Meta Horizon Store for easier access than before. In addition, in a mildly spicy move, Facebook is openly inviting Google to bring the Google Play Store to the VR Android fork, “where it can operate with the same economic model it does on other platforms”.

The odds of me buying anything from Facebook are slim, so I really hope this new move won’t corner the market for VR headsets right out of the gate; I don’t want another Android/iOS duopoly. I’m not particularly interested in VR quite yet – but give it a few more years, and I certainly won’t pass up on a capable device that allows me to play Beat Saber and other exercise-focused applications and games.

I just don’t want it to be a Facebook device or operating system.

In April’s update for the Android operating system (OS), Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582. It has a CVSS score of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.

Another vulnerability highlighted by Google is CVE-2024-23704, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn’t have access to, or perform actions at a higher level of permissions.

Pixel users

Google warns Pixel users that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:

• CVE-2024-29745: An information disclosure vulnerability in the bootloader component. Bootloaders are one of the first programs to load and ensure that all relevant operating system data is loaded into the main memory when a device is started.
• CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware. Firmware is device-specific software that provides basic machine instructions that allow the hardware to function and communicate with other software running on the device.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security vulnerabilities.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

First released for Windows last year, the Malwarebytes Trusted Advisor dashboard is also now available on Mac, iOS and Android. 

Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security, with a single comprehensive protection score, and clear, expert-driven advice. 

In our recent report, “Everyone’s afraid of the internet, and no-one’s sure what to do about it,” we found that only half of the people surveyed feel confident they know how to stay safe online and even fewer are taking the right measures. 

So, though the fears are big, they are followed by very little action. We want to make things easy for our customers so they know what they should be doing, and how. 

Computer security can be difficult and time consuming, especially if you consider all the different devices and operating systems. We want to help our customers, whatever they use. 

Getting it right means knowing what software needs to be updated, whether your system settings are configured securely, and running active protection that can uncover hidden threats. 

Getting it wrong means leaving gaps in your defences that malware, criminal hackers, and other online threats can sneak through. 

Trusted Advisor takes away the guesswork by delivering a holistic assessment of your security and privacy in a way that’s easy to understand, making issues simple to correct. It combines the proven capabilities of Malwarebytes with the knowledge of the brightest industry experts to give you an expert assessment that puts you one step ahead of the cybercrooks. 

Protection score

At the heart of Trusted Advisor is a single, easy-to-understand protection score. If you’re rocking a 100% rating then you know you’re crushing it. 

If your score dips below 100%, we’ll explain why, and offer you a checklist of items to improve your security and boost your score. 

Trusted Advisor’s recommendations are practical and jargon-free, so they’re easy to action.

Trusted Advisor monitors various categories of information around security and privacy to assess your overall Protection Score (exact check points will depend on OS and license type):

• Real-time protection monitors your device continuously, stopping and removing threats like malware as they appear. It’s vital for keeping you safe from the most destructive threats and the most common methods of infection, so Trusted Advisor will alert you if you aren’t fully protected. 
• Software updates fix the coding flaws that cybercriminals exploit to steal data or put malware on your system. Staying up to date is one of the most important things you can do for your security, so Trusted Advisor has your back here too. 
• General settings covers settings within Malwarebytes, Operating Systems, or your network preferences. Trusted Advisor checks for settings that may not be configured correctly. For example, on iOS it ensures you have defined a passcode for your device and activated web and call protection. 
• Device scans are routine scans that seek out hidden threats on your system. Trusted Advisor will tell you if you get behind and need to run a scan manually. 
• Online privacy helps you take a proactive stance on your privacy by hiding your IP address and blocking third-party ad trackers, making you’re harder to track on the web. Trusted Advisor monitors this so you only part with the personal information you intend to. 
• Device health guards against slowdowns and other performance problems. Trusted Advisor helps you get the most out of your system so that you aren’t left guessing whether it was malware grinding your device to a halt. 

Even with an excellent score, you can’t guarantee absolute safety, though it places you in the closest proximity to it. By following our recommendations, you’ll be in the best security situation you can be.

Try it today

If you’re an existing Malwarebytes customer you will get Trusted Advisor automatically, but if you’re in a hurry, you can go to Settings > About > Check for updates and get it right now. If you aren’t, you can get Trusted Advisor by downloading the latest version of Malwarebytes.

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

Protection and removal

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

• Do not install apps from third-party websites.
• Do not install free VPNs.
• Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.