Google has been working to update how it handles text-to-speech (TTS) in Chrome on Android for a few months now. The feature was first noticed in beta in January, but now appears to be rolling out to more users with Chrome 125. Though it is still not fully ready just yet, 9to5Google reports, you can already enable it if you don't already have it.

Previously, to have your smartphone read webpages to you, you’d normally have to rely on Google Assistant on Android and Siri (plus Safari) on iPhone. While the new Listen to Page feature doesn’t appear to be coming to iOS anytime soon, it’s still nice to see Google baking this accessibility feature into Chrome itself.

9to5Google says that the new function appears to work on most text-heavy websites. However, you’ll need to wait for the page to fully load and then access the option from the three dot menu at the top of Chrome. If you don’t see the feature listed, just activate it through the Chrome flag chrome://flags/#read-aloud. Enter the bold text into the URL bar, press enter to access the settings, and turn it on.

On top of reading webpages to you, the feature also comes with various controls, including options for playback speed as well as the ability to highlight text and turn on auto-scroll. Google has also included several voice options, including selections for U.S., U.K., Indian, and Australian English voices. There are also several different pitches available to provide a more warm, calm, bright, or peaceful tone.

The control bar for the TTS feature will remain docked even if you open additional tabs, and playback will continue if you lock your device. However, if you close the browser—or even push it to the background for any reason—the reading will end. The feature also appears to be available in Chrome Custom Tabs, and it can be set as a toolbar shortcut to help avoid scrolling through the menu looking for it.

As it hasn’t officially rolled out (any access you might have right now is a preview), the feature is likely still being worked on in some fashion. As such, Google may make more changes—or even add new features—before fully releasing it. If you'd rather wait for the full release, Google’s Reading mode app remains a great alternative.

Google has notified Pixel users about an actively exploited vulnerability in their phones’ firmware.

Firmware is the code or program which is embedded into hardware devices. Simply put, it is the software layer between the hardware and the applications on the device.

About the vulnerability, Google said there are indications it may be:

“under limited, targeted exploitation.”

This could mean that the discovered attacks were very targeted, for example by state-sponsored actors or industry-grade spyware. However, it’s still a good idea to get these patches as soon as you can. And whether you have a Pixel or not, all Android users should make sure they’re using the latest version available, because the June 2024 security update addresses a total of 50 security vulnerabilities.

Updates to address this issue are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.

For these Google devices, security patch levels of 2024-06-05 or later address this issue. You can find your device’s Android version number, security update level, and Google Play system level in your Settings app.

You should get notifications when updates are available for you, but it’s not a bad idea to manually check for updates. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE for this vulnerability is:

CVE-2024-32896: an elevation of privilege (EoP) issue in Pixel firmware.

An elevation of privilege vulnerability occurs when an application gains permissions or privileges that should not be available to them. This can be a key element in an attack chain when a cybercriminal wants to move forward from initial access to a device to a full compromise.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The June Pixel Feature Drop update has officially begun rolling out to Pixel users around the world. This month’s Feature Drop includes a slew of new updates for the Pixel 8 series—all the way from the 8 Pro to the cheaper 8a—as well as updates for the Pixel Watch 2 and even some older Pixel devices. Here’s what you can expect from this month’s big update.

First and foremost, it’s time to talk about Gemini. While Google has gone back and forth about Gemini’s availability on Pixel 8 in the past, the company’s latest claims that it would indeed come to the base Pixel 8 and the even cheaper Pixel 8a have finally come to fruition. We’ve already shown you how to enable Gemini on Pixel 8 and 8a—it’s enabled by default on the 8 Pro, so you don’t have to do anything extra. With the June Feature Drop, some Gemini Nano features are finally launching, starting with Summarize in Recorder—which can now detect and export transcripts of recordings into text files or even Google Docs.

Google has also added support for DisplayPort on all three Pixel 8s, allowing users to connect their phones to a second display via USB-C cable. This means you can now showcase your favorite movies or videos on the big screen, and some have speculated it could mean a desktop mode is in the works, too, which could resemble Samsung DeX, which allows you to turn your phone or tablet into a desktop computer in a way.

Another big feature—and one that I hope we’ll see added to other phones in the future—is Reverse Phone Number Lookup. Now, whenever an unknown number hits your recent call log, you can simply tap on it a couple of times, and Google will automatically perform a Google Search to look up the number and try to provide you with more information about it. It isn’t foolproof by any means, but it’s something I’m surprised we haven’t seen in phones already.

We already knew Google was making big changes to its Find My Device network, including making the Pixel 8, Pixel 8 Pro, and Pixel 8a detectable even when powered off. Now, Google has officially made the feature available, which could be enough to justify downloading the update on its own.

On the camera side of things, Pixel devices from the Pixel 6 up to the Pixel Tablet will now be able to automatically identify the best moment for your photo to be captured in HDR+ just with a single shutter press. This is just another way that Google continues to set its camera apart from other smartphone cameras.

The tech giant has also added manual lens picking on the Pixel 6 Pro, Pixel 7 Pro, Pixel 8 Pro, and Pixel Fold, allowing you to manually touch which camera you want to use at any given time. This should make it easier for photo-savvy users to customize their shots, instead of relying on Google to determine which camera is best.

Finally, Google has rolled out a new Google Home Favorites widget, giving you customizable smart home controls directly on your smartphone or tablet. Additionally, the company has brought Doorbell notifications to the Pixel Tablet when it's docked in hub mode, giving you a better view of who is at your door.

That's all the big changes coming to tablets and phones, but it's not everything. There's also new features for Pixel Watch and Pixel Watch 2. Perhaps the biggest additions are Car Crash Detection and Bicycle Fall Detection on the Pixel Watch 2. These will allow the watch to detect if you’ve fallen or been in a car crash and then will ask if you’re okay before calling emergency services or contacts.

Google Wallet has also received a minor upgrade on Pixel Watch, as Paypal has officially arrived for it. This, of course, isn’t just a Pixel-only thing, as Google announced the online payment service would be joining Google Wallet across Wear OS last month.

The last big feature coming to Pixel Watch is a new update for Google Home. This brings a new watch face complication and Wear OS tile to the watch. This should give you more control over your various smart home items. Again, this isn’t a Pixel-only thing, as the feature was previously available on other Wear OS devices. This is, however, the first time it’ll appear on Pixel Watch.

Android’s June 2024 security update resolves 37 vulnerabilities, including high-severity flaws in Framework and System.

The post 37 Vulnerabilities Patched in Android appeared first on SecurityWeek.

Google garnered quite a bit of backlash when it previously suggested the Pixel 8 wouldn’t get Gemini Nano, thus disallowing its base smartphone from on-device AI features. However, it recently went back on that decision, saying that it would actually bring AI features to the Pixel 8 and Pixel 8a after all. Now, reports indicate that Gemini Nano may soon be rolling out to the Pixel 8. The AI features themselves don't seem to be available just yet, but the option to enable them is, so it's a good idea to lay that groundwork now before the features actually roll out.

While many updates to your device might automatically have new features enabled by default, the Pixel 8's Gemini Nano features need to be enabled. That’s because the features that Nano will offer weren’t technically activated on the device’s chip just yet. To get around this, Google has now added a toggle that will turn on Gemini, but you’ll have to access the Android AICore features on your phone to set it up.

How to activate Gemini on Pixel 8

To activate Gemini on Pixel 8, you’ll first need to enable developer settings. To do this, navigate to Settings > About Phone and find the build number in the list (it’s down near the bottom).

Tap the build number seven times. You should see a popup saying that developer mode has been enabled.

To activate Gemini on Pixel 8, navigate to Settings > System > Developer options > AICore Settings.

If you have the toggle available on your phone, it should appear as an option in the list that reads Enable on-device Gemini features.

Tap the toggle to turn it on, and boom, you’ve activated Gemini features.

So what does that do exactly? Unfortunately, right now, it doesn’t really do anything. Google hasn’t released any of the on-device Gemini features to the Pixel 8, so we’ll need to wait for Google to add them to the device in a future Android Feature Drop—speaking of, Google just dropped eight new features in May’s feature drop.

Until the Gemini features actually release, this toggle doesn’t appear to do anything. But, having it enabled will prepare your device for any future feature releases ahead of time.

This week, security research group Zscaler reported they had discovered over 90 malicious Android apps available on the Play Store. The apps had been installed more than 5.5 million times collectively, and many were part of the ongoing Anatsa malware campaign, which has targeted more than 650 apps tied to financial institutions.

As of February of 2024, Anatsa infected at least 150,000 devices via several decoy apps, many of which are marketed as productivity software. While we don't know the identities of most of the apps involved in this latest attack, we do know about two: PDF Reader & File Manager, as well as QR Reader & File Manager. At the time of Zscaler’s investigation, the two apps had garnered over 70,000 installs between them.

How these malicious apps infect your phone

Despite Google’s review process for apps applying to the Play Store, malware campaigns like Anatsa are sneaky, and can utilize a multi-stage payload loading mechanism to help them evade these reviews. In other words, the app masquerade as legitimate, and only start a stealthy infection once installed on the user's device.

You might think you're downloading a PDF reader, but once installed and opened, the "dropper" app will connect to a C2 server and retrieve the configurations and essential strings that it needs. It will then download a DEX file containing the malicious code and activate it on your device. From there, the Anatsa payload URL is downloaded through a configuration file, and that DEX file installs the malware payload, completing the process and infecting your phone.

Luckily, all identified apps have been removed from the Play Store, and their developers have been banned. However, that won't delete these apps from your smartphone if you downloaded them. If you have either of these two apps on your phone, uninstall them immediately. You should also change the passcodes of any banking apps that you might have used on your phone to avoid your accounts being accessed by the threat actors behind Anatsa.

How to avoid malware apps

While malicious developers can be tricky with their attacks, there are some tips you can follow to determine if an app on the Play Store is legitimate. The first is to really pay attention to the app's listing: Look at its name, the description, and its images: Does everything match with the service the developers are advertising? Is the copy well written, or is it riddled with mistakes? The less professional the page appears, the more likely it is to be a fake.

Only download apps from publishers you can trust. This is especially true if you’re downloading a popular app, as malware apps sometimes impersonate high-profile apps on phones and other devices. Double-check the developer behind the app to make sure they're who they purport to be.

You should also check the requirements and permissions that the app asks for. Anything that asks for accessibility should usually be avoided, as this is one of the main ways that malware groups bypass the security parameters placed on many newer devices. Other permissions to look out for include apps asking for access to your contact list and SMS. If a PDF reader wants your contacts, that's a big red flag.

Read through the reviews for the app, as well. Watch out for apps that don't have many ratings, or ones where all the reviews seem suspiciously positive.

The app's support email address can also be telling. Many malware apps will have a random Gmail account (or other free email account) tied to their support email. While not every app will have a professional email listed for support, you can usually tell if something might be sketchy based on the information that the group provides.

Unfortunately, there’s no surefire way to avoid malware apps unless you don’t install apps at all. But, if you’re mindful of the apps that you’re installing and pay attention to the permissions, developer, and other important information, you can usually pick up on whether or not an app is sketchy.

New features are the best part of any software update, but surprise new features are even better. Google just announced a new feature drop today, complete with eight new features to try on your Android device. Surprisingly, these features don't have too much to do with AI, Google's big focus right now. Seeing as its AI Overviews project is going quite poorly, it's almost refreshing to see a handful of traditionally useful features coming to Android.

You can now edit your sent messages

Google is finally rolling out the ability to edit your RCS messages after you've sent them. You have 15 minutes after sending a message to make any changes. To find the option, long-press on the message. Google didn't clarify whether there was a limit to the number of times you could change a message before that 15 minute timer expired, but the change puts the company in line with other messaging platforms like iMessage and WhatsApp.

New Emoji Kitchen combinations

Emoji Kitchen is a feature that lets you combine compatible emojis together to create something brand new. (For example, a winking emoji and a ghost emoji become a winking ghost.) Google is now releasing new combinations for the feature, but they haven't listed all possible combos just yet. In the press release, they highlight only one combination, headphones and disco ball, as a way to "get ready for festival season." Presumably, there are more to discover, however.

Switch between devices during a Google Meet call

Going forward, you'll be able to jump between your connected devices while on a Google Meet call. To do so, tap the Cast button and swap from, say, your web browser to your Android phone or tablet. This is a great feature for those of us who need to leave our desktops during a meeting, but want to keep up with the call. It's also great for the opposite: If someone calls you on your phone while you're out and about, but you're still chatting when you get back home, you can switch to your computer and wrap up the call from your desk.

Join your hotspot without the password

Google is rolling out "instant hotspot," which will let you connect your Android tablet or Chromebook to your phone's hotspot without needing to punch in the password each time. It's a small but welcome change that should make connecting to your hotspot feel a bit more like connecting to a known wifi network. (Even if you still have to choose to connect to your hotspot each time.)

Google Home Favorites widget

The Google Home Favorites widget is now available on the home screen for those who sign up for Public Preview. With it, you can control smart devices from your phone's home screen without needing to open the Google Home app first. I can see this being particularly convenient for quick actions, like turning smart lights on and off, or checking in on stats for devices like smart thermostats.

Google Home Favorites on Wear OS

In addition, Google is making a Google Home Favorites tile and complication (essentially a feature on the watch face) for your Wear OS smartwatch. So, same deal as above, just on your watch, if you'd prefer to adjust your smart home devices from your wrist.

PayPal is now on Google Wallet on Wear OS

In an update to Google Wallet, PayPal is now an option when paying for something with your Wear OS smartwatch, at least if you're in the U.S. or Germany.

Digital car keys

Google is taking this moment to roll out digital car keys on Android, starting with "select MINI models," and extending to select Mercedes-Benz and Polestar models at a later date. When you have a car that supports the feature, you'll be able to lock, unlock, or start your car with your phone, as well as share digital car keys with trusted contacts. Digital car keys, like those on iOS, are a slow-growing technology for a myriad of reasons, including cybersecurity and a lack of standardization. The more companies like Google embrace the tech, the likelier it is auto manufacturers will want to add the feature to their cars.

---

If you're looking for a new Android phone to try out these new features (as well as the rest Android has to offer), check out some of these recommendations from our sister site PCMag:

Android devices come with location services. Some apps need access to location services to function properly. However, there may be reasons why you don’t want your device to be located, often because you don’t want to be found and the device is always with you.

Depending on who you are trying to hide your location from, there are several levels of hiding your location.

Disclaimer: the exact instructions for your make and model of Android device may look a bit different.

Turn off location for particular apps

There are apps active on most Android devices that could give away the location of the device. To check which apps have access to your device’s location:

• Swipe down from the top of the screen.
• Find the Location icon
• Touch and hold Location.
• Tap App location permissions.
• Under Allowed all the time, Allowed only while in use, and Not allowed, find the apps that can use your device’s location.
• To change the app’s permissions, tap it. Then, choose the location access for the app.
• If you see any apps that you don’t recognize, be sure to turn the permission off.

Turn off location entirely

Alternatively, you can turn Location off entirely:

• Swipe down from the top of the screen.
• Find the location icon
• If it’s highlighted, tap it to turn it off.
• You’ll see a warning that some apps may not function properly. Confirm by tapping Close.

Turn off Find My Device

Find My Device is a service which makes your device’s most recent location available to the first account activated on the device. Find My Device is included with most Android phones, and it’s automatically turned on once you add a Google account to your device.

How to turn off Find My Device:

• Open Settings.
• Tap (Biometrics &) Security.
• Tap Find My Device, then tap the switch to turn it off.

Turning off Find My Device may backfire if you ever truly need to find your device because you lost it. But if someone may have the login credentials for the Google account associated with the phone, you may want to turn it off.

The last resort is to turn your phone off.

Even in airplane mode, GPS on your phone is still working. As long as a phone isn’t turned off, it’s possible to track the location because the device sends signals to nearby cell towers. Even when it’s turned off, the service provider or internet provider can show the last location once it’s switched back on.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

With the release of the Google Pixel 8 lineup last fall, the Pixel 7 lineup understandably lost some of its luster. But these are still great phones and very appealing at the right price—and I would argue that Woot has found it.

Until June 1 (or while supplies last), you can get a new, unlocked Google Pixel 7 Pro for more than 50% off its original $899 price, with the 128GB model starting at $399.99. And if you'd rather save some more money over having a fancier camera, the 128GB Google Pixel 7 is $354.99 (originally $599.99) after a 41% discount. (Note that Woot only ships to the 48 contiguous U.S. states in the U.S. If you have Amazon Prime, you get free shipping; otherwise, it’ll be $6.)

During Black Friday, the 256GB Pixel 7 Pro reached $699 on Best Buy and Amazon and later dropped to $599 around Christmas. Now you can get the 256GB version for $439.99, the lowest price I've seen (even cheaper than Amazon). The same goes for the 128GB and 512GB versions. I think 128GB will be enough space for most people, but doubling the storage for $40 is not a bad deal. When the Google Pixel 7 Pro came out in October of 2022, our friends at PCMag named it the best Android phone on the market and gave it an "excellent" rating.

When Google released both of these phones, the Pixel 7 had a strong leg to stand on, with a $300 difference that justified its place. Right now, the difference between both of these phones is $45. The Pixel Pro has a better telephoto camera, better Super Res Zoom, and a larger display with a slightly better refresh rate, as pointed out by Senior Tech Editor Jake Peterson in the head-to-head breakdown of these phones. But if you don't care about those things, spend that $45 on a very nice phone case.

In general, Pixel phones are impressive devices and my personal favorite smartphones. My Pixel 6a is still going strong, though at this price, I'd consider upgrading, were it giving me any problems at all. Alas, I'll have to restrain myself for a while longer: As Google continues to offer even older Pixels security fixes as well as quarterly feature updates (including the "circle to search" capability), my 6a will be well supported for years to come—and the Pixel 7 Pro should last you even longer.

The idea behind the software is simple. When the spying party installs the stalkerware, they grant permission to record what happens on the targeted Android or Windows device. The observer can then log in on an online portal and activate recording, at which point a screen capture is taken on the target’s device.

What goes around comes around, you might say. As you may have read many times before on our blog, some spyware companies have a surprisingly low standard of security .

In 2021, we reported that “employee and child-monitoring” software vendor pcTattletale hadn’t been very careful about securing the screenshots it sneakily took from its victims’ phones. A security researcher found an issue while using a trial version of pcTattleTale, noticing that the company uploaded the screenshots to an unsecured online database (meaning anyone could view the screenshots as they weren’t protected by any form of authentication—such as a user name and password).

Last week another security researcher, Eric Daigle, found the company appears to have learned nothing from its previous security issue. Daigle found that pcTattletale’s Application Programming Interface (API) allows any attacker to access the most recent screen capture recorded from any device on which the spyware is installed. Despite repeated warnings from Daigle and others, no improvements were made.

Then, yet another researcher found yet another bug in pcTattletale which allowed them to gain full access to the backend infrastructure. This allowed them to deface the website and steal the AWS credentials which turned out to be the same for all devices. Amazon has now locked pcTattletale’s entire AWS infrastructure.

After a quick sweep, stalkerware researcher, Maia Crimew stated:

“pcTattletale currently holds over 17 terabytes of victim device screenshots (upwards of 300 million of them from over 10 thousand devices), with some of them dating back to 2018.”

According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Given the low security of the apps available to home users, this is extremely concerning. Installing monitoring software is not just a huge invasion of privacy, there is a big chance that it will backfire.

Removing stalkerware

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes can help you.

1. Open your Malwarebytes dashboard
2. Tap Scan now
3. It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

• Uninstall. The threat will be deleted from your device.
• Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
• Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

On Windows machines Malwarebytes detects pcTattleTale as PUP.Optional.PCTattletale.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Sort the Court is a charmingly addictive "kingdombuilder" of sorts that's perfect for a lazy Saturday. Designed and written by Graeme Borland in just 72 hours for Ludum Dare 34, the game casts you as a new monarch who must judiciously grow your realm's wealth, population, and happiness with an eye toward joining the illustrious Council of Crowns... all by giving flat yes-or-no answers to an endless parade of requests from dozens of whimsical subjects. It's possible to lose, and the more common asks can get a bit repetitive, but with hundreds of scenarios and a number of longer-term storylines, the game can be won in an hour or two while remaining funny and fresh. See the forum or the wiki for help, enjoy the original art of Amy "amymja" Gerardy and the soundtrack by Bogdan Rybak, or check out some other fantasy decisionmaking games in this vein: Borland's spiritual prequel A Crown of My Own - the somewhat darker card-based REIGNS - the more expansive and story-driven pixel drama Yes, Your Grace (reviews), which has a sequel due out this year

Some of our loyal readers may remember my little mishap when I was able to track my wife by accident after inadvertently adding myself to her phone as a user.

For exactly that reason we want to warn against sharing devices and at least show you how to remove other people’s accounts from your device.

The steps may be slightly different depending on your Android version, device type, and vendor, but most users should be able to follow these steps.

For the primary user:

• Open Settings
• Tap System > Multiple users.

If you can’t find this setting, try searching your Settings app for users.

• Tap the name of the user you want to remove.
• Tap Delete user > Delete. If successful, the user will be removed from the list.
• If you want to stay the only user, you can turn the Multiple users feature off.

If you’re not the primary user (you can’t delete the primary user):

• Under Multiple Users tap More (three stacked dots).
• Tap Delete [username] from this device. Important: You can’t undo this.
• The device will switch to the owner’s profile.

Note: Android devices allow two types of additional users:

• Secondary user: This is any user added to the device other than the system user. Secondary users can be removed (either by themselves or by an admin user) and cannot impact other users on a device. These users can run in the background and continue to have network connectivity.
• Guest user: Temporary secondary user. Guest users have an explicit option to quickly delete the guest user when its usefulness is over. There can be only one guest user at a time.

Another privacy issue can be caused by having additional accounts on the device. Accounts are contained within a user but are not linked to a particular user. The tracking issue I discussed was caused by adding one of my Google accounts to my wife’s phone.

To remove unwanted accounts:

• Under Settings, tap on Accounts and Backups
• Then tap on Manage Accounts
• Select the account you want to remove and you will see the option to do that.

If you’re having trouble finding any of these settings on your specific Android device, reach out through the comments and when we can, we’ll add as many specific instructions as possible to the post.

Google is boosting fraud and malware protections in Android 15 with live threat detection and expanded restricted settings.

The post Android 15 Brings Improved Fraud and Malware Protections appeared first on SecurityWeek.

Google released Android 15 beta 2 today, and with it, they unveiled some more of the new features coming to Android later this year when the final release lands. Android 15 comes with something called a private space, an area with an extra layer of authentication where you can keep applications and data hidden away, such as banking applications or health data. It’s effectively a separate user profile, and shows up as a separate area in the application drawer when unlocked. When locked, it disappears entirely from sight, share sheets, and so on.

Another awesome new feature is Theft Detection Lock, which uses Google “AI” to detect when a phone is snatched out of your hands by someone running, biking, or driving away, and instantly locks it. Theft like this is quite common in certain areas, and this seems like an excellent use of “AI” (i.e., accelerometer data) to discourage thieves from trying this.

There’s also a bunch of smaller stuff, like custom vibration patterns per notification, giving applications partial access to only your most recent photos and videos, system-wide preferences for which gender you’d like to be addressed as in gendered languages (French gets this feature first), and a whole lot more.

Developers also get a lot to play with here, from safer intents to something like ANGLE:

Vulkan is Android’s preferred interface to the GPU. Therefore, Android 15 includes ANGLE as an optional layer for running OpenGL ES on top of Vulkan. Moving to ANGLE will standardize the Android OpenGL implementation for improved compatibility, and, in some cases, improved performance. You can test out your OpenGL ES app stability and performance with ANGLE by enabling the developer option in Settings -> System -> Developer Options -> Experimental: Enable ANGLE on Android 15.

↫ Android developer blog

You can install Android 15 beta 2 on a number f Pixel devices and devices from other OEMs starting today. I installed it on my Pixel 8 Pro, and after a few hours I haven’t really noticed anything breaking, but that’s really not enough time to make any meaningful observations.

Google also detailed Wear OS 5.

Later this year, battery life optimizations are coming to watches with Wear OS 5. For example, running an outdoor marathon will consume up to 20% less power when compared to watches with Wear OS 4. And your fitness apps will be able to help improve your performance with the option to support more data types like ground contact time, stride length and vertical oscillation.

↫ Android developer blog

Wear OS 5 will also improve the Watch Face Format with more complications, which is very welcome, because the selection of complications is currently rather meager. Wear OS 5 will also ship later this year.

Google I/O, the company’s developer conference, started today, but for the first time since I can remember, Android and Chrome OS have been relegated to day two of the conference. The first day was all about “AI”, most of which I’m not even remotely interested in, except of course where it related to Google’s operating system offerings.

And the company did have a few things to say about “AI” on Android, and the general gist is that yeah, they’re going to be stuffing it into every corner of the operating system. Google’s “AI” tool Gemini will be integrated deeply into Android, and you’ll be able to call up an overlay wherever you are in the operating system, and do things like summarise a PDF that’s on screen, summarise a YouTube video, generate images on the fly and drop them into emails and conversations, and so on.

A more interesting and helpful “AI” addition is using it to improve TalkBack, so that people with impaired vision can let the device describe images on the screen for them. Google claims TalkBack users come across about 90 images without description every day (!), so this is a massive improvement for people with impaired vision, and a genuinely helpful and worthwhile “AI” feature.

Creepier is that Google’s “AI” will also be able to listen along with your phone calls, and warn you if an ongoing conversation is a scamming attempt. If the person on the other end of the line claiming to be your bank asks you to move a bunch of money around to keep it safe, Gemini will pop up and warn you it’s a scam, since banks don’t ask you such things. Clever, sure, but also absolutely terrifying and definitely not something I’ll be turning on.

Google claims all of these features take place on-device, so privacy should be respected, but I’m always a bit unsure about such things staying that way in the future. Regardless, “AI” is coming to Android in a big way, but I’m just here wondering how much of it I’ll be able to turn off.

Now that Android – since version 13 – ships with the Android Virtualisation Framework, Google can start doing interesting things with it. It turns out the first interesting thing Google wants do with it is run Chrome OS inside of it.

Even though AVF was initially designed around running small workloads in a highly stripped-down build of Android loaded in an isolated virtual machine, there’s technically no reason it can’t be used to run other operating systems. As a matter of fact, this was demonstrated already when developer Danny Lin got Windows 11 running on an Android phone back in 2022. Google itself never officially provided support for running anything other than its custom build of Android called “microdroid” in AVF, but that’s no longer the case. The company has started to offer official support for running Chromium OS, the open-source version of Chrome OS, on Android phones through AVF, and it has even been privately demoing this to other companies.

At a privately held event, Google recently demonstrated a special build of Chromium OS — code-named “ferrochrome” — running in a virtual machine on a Pixel 8. However, Chromium OS wasn’t shown running on the phone’s screen itself. Rather, it was projected to an external display, which is possible because Google recently enabled display output on its Pixel 8 series. Time will tell if Google is thinking of positioning Chrome OS as a platform for its desktop mode ambitions and Samsung DeX rival.

↫ Mishaal Rahman at Android Authority

It seems that Google is in the phase of exploring if there are any OEMs interested in allowing users to plug their Android phone into an external display and input devices and run Chrome OS on it. This sounds like an interesting approach to the longstanding dream of convergence – one device for all your computing needs – but at the same time, it feels quite convoluted to have your Android device emulate an entire Chrome OS installation.

What a damning condemnation of Android as a platform that despite years of trying, Google just can’t seem to make Android and its applications work in a desktop form factor. I’ve tried to shoehorn Android into a desktop workflow, and it’s quite hard, despite third parties having made some interesting tools to help you along. It really seems Android just does not want to be anywhere else but on a mobile touch display.

Although Google has shown significant progress in recent weeks in improving RISC-V support in Android, it seems that we’re still quite a bit away from seeing RISC-V hardware running certified builds of Android. Earlier today, a Senior Staff Software Engineer at Google who, according to their LinkedIn, leads the Android Systems Team and works on Android’s Linux kernel fork, submitted a series of patches to AOSP that “remove ACK’s support for riscv64.” The description of these patches states that “support for risc64 GKI kernels is discontinued.”

↫ Mishaal Rahman

Google provided Android Authority with a statement, claiming that Android will continue to support RISC-V. What these patches do, however, is remove support for the architecture from the Generic Kernel Image, which is the only type of kernel Google certifies for Android, which means that it is now no longer possible to ship a certified Android device that uses RISC-V. Any OEM shipping a RISC-V Android device will have to create and maintain its own kernel fork with the required patches. This doesn’t seem to align with Google’s statement.

So, unless Google intends to add RISC-V support back into GKI, there won’t be any officially certified Android devices running on RISC-V. Definitely an odd chain of events here.

Today we’re taking the next step toward our vision for a more open computing platform for the metaverse. We’re opening up the operating system powering our Meta Quest devices to third-party hardware makers, giving more choice to consumers and a larger ecosystem for developers to build for. We’re working with leading global technology companies to bring this new ecosystem to life and making it even easier for developers to build apps and reach their audiences on the platform.

[…]

Meta Horizon OS is the result of a decade of work by Meta to build a next-generation computing platform. To pioneer standalone headsets, we developed technologies like inside-out tracking, and for more natural interaction systems and social presence, we developed eye, face, hand, and body tracking. For mixed reality, we built a full stack of technologies for blending the digital and physical worlds, including high-resolution Passthrough, Scene Understanding, and Spatial Anchors. This long-term investment that began on the mobile-first foundations of the Android Open Source Project has produced a full mixed reality operating system used by millions of people.

↫ Facebook’s blog

In summary, Facebook wants the operating system of their Quest series of virtual reality devices – an Android Open Source Project fork optimised for this use – to become the default platform for virtual reality devices from all kinds of OEMs. Today, they’re announcing that both Asus and Lenovo will be releasing devices running this Meta Horizon OS, with the former focusing on high-end VR gaming, and the latter on more general use cases of work, entertainment, and so on. Facebook will also be working together with Microsoft to create a Quest “inspired by Xbox”.

The Meta Quest Store, the on-device marketplace for applications and games, will be renamed to the Meta Horizon Store, and the App Lab, where developers can more easily get their applications and games on devices and in the hands of consumers as long as they meet basic technical and content guidelines, will be integrated into the Meta Horizon Store for easier access than before. In addition, in a mildly spicy move, Facebook is openly inviting Google to bring the Google Play Store to the VR Android fork, “where it can operate with the same economic model it does on other platforms”.

The odds of me buying anything from Facebook are slim, so I really hope this new move won’t corner the market for VR headsets right out of the gate; I don’t want another Android/iOS duopoly. I’m not particularly interested in VR quite yet – but give it a few more years, and I certainly won’t pass up on a capable device that allows me to play Beat Saber and other exercise-focused applications and games.

I just don’t want it to be a Facebook device or operating system.

In April’s update for the Android operating system (OS), Google has patched 28 vulnerabilities, one of which is rated critical for Android devices equipped with Qualcomm chips.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

If your Android phone is at patch level 2024-04-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Qualcomm CVE is listed as CVE-2023-28582. It has a CVSS score of 9.8 out of 20 and is described as a memory corruption in Data Modem while verifying hello-verify message during the Datagram Transport Layer Security (DTLS) handshake.

The cause of the memory corruption lies in a buffer copy without checking the size of the input. Practically, this means that a remote attacker can cause a buffer overflow during the verification of a DTLS handshake, allowing them to execute code on the affected device.

Another vulnerability highlighted by Google is CVE-2024-23704, an elevation of privilege (EoP) vulnerability in the System component that affects Android 13 and Android 14.

This vulnerability could lead to local escalation of privilege with no additional execution privileges needed. Local privilege escalation happens when one user acquires the system rights of another user. This could allow an attacker to access information they shouldn’t have access to, or perform actions at a higher level of permissions.

Pixel users

Google warns Pixel users that there are indications that two high severity vulnerabilities may be under limited, targeted exploitation. These vulnerabilities are:

• CVE-2024-29745: An information disclosure vulnerability in the bootloader component. Bootloaders are one of the first programs to load and ensure that all relevant operating system data is loaded into the main memory when a device is started.
• CVE-2024-29748: An elevation of privilege (EoP) vulnerability in the Pixel firmware. Firmware is device-specific software that provides basic machine instructions that allow the hardware to function and communicate with other software running on the device.

On Pixel devices, a security patch level of 2024-04-05 resolves all these security vulnerabilities.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

First released for Windows last year, the Malwarebytes Trusted Advisor dashboard is also now available on Mac, iOS and Android. 

Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security, with a single comprehensive protection score, and clear, expert-driven advice. 

In our recent report, “Everyone’s afraid of the internet, and no-one’s sure what to do about it,” we found that only half of the people surveyed feel confident they know how to stay safe online and even fewer are taking the right measures. 

So, though the fears are big, they are followed by very little action. We want to make things easy for our customers so they know what they should be doing, and how. 

Computer security can be difficult and time consuming, especially if you consider all the different devices and operating systems. We want to help our customers, whatever they use. 

Getting it right means knowing what software needs to be updated, whether your system settings are configured securely, and running active protection that can uncover hidden threats. 

Getting it wrong means leaving gaps in your defences that malware, criminal hackers, and other online threats can sneak through. 

Trusted Advisor takes away the guesswork by delivering a holistic assessment of your security and privacy in a way that’s easy to understand, making issues simple to correct. It combines the proven capabilities of Malwarebytes with the knowledge of the brightest industry experts to give you an expert assessment that puts you one step ahead of the cybercrooks. 

Protection score

At the heart of Trusted Advisor is a single, easy-to-understand protection score. If you’re rocking a 100% rating then you know you’re crushing it. 

If your score dips below 100%, we’ll explain why, and offer you a checklist of items to improve your security and boost your score. 

Trusted Advisor’s recommendations are practical and jargon-free, so they’re easy to action.

Trusted Advisor monitors various categories of information around security and privacy to assess your overall Protection Score (exact check points will depend on OS and license type):

• Real-time protection monitors your device continuously, stopping and removing threats like malware as they appear. It’s vital for keeping you safe from the most destructive threats and the most common methods of infection, so Trusted Advisor will alert you if you aren’t fully protected. 
• Software updates fix the coding flaws that cybercriminals exploit to steal data or put malware on your system. Staying up to date is one of the most important things you can do for your security, so Trusted Advisor has your back here too. 
• General settings covers settings within Malwarebytes, Operating Systems, or your network preferences. Trusted Advisor checks for settings that may not be configured correctly. For example, on iOS it ensures you have defined a passcode for your device and activated web and call protection. 
• Device scans are routine scans that seek out hidden threats on your system. Trusted Advisor will tell you if you get behind and need to run a scan manually. 
• Online privacy helps you take a proactive stance on your privacy by hiding your IP address and blocking third-party ad trackers, making you’re harder to track on the web. Trusted Advisor monitors this so you only part with the personal information you intend to. 
• Device health guards against slowdowns and other performance problems. Trusted Advisor helps you get the most out of your system so that you aren’t left guessing whether it was malware grinding your device to a halt. 

Even with an excellent score, you can’t guarantee absolute safety, though it places you in the closest proximity to it. By following our recommendations, you’ll be in the best security situation you can be.

Try it today

If you’re an existing Malwarebytes customer you will get Trusted Advisor automatically, but if you’re in a hurry, you can go to Settings > About > Check for updates and get it right now. If you aren’t, you can get Trusted Advisor by downloading the latest version of Malwarebytes.

Researchers at HUMAN’s Satori Threat Intelligence have discovered a disturbing number of VPN apps that turn users’ devices into proxies for cybercriminals without their knowledge, as part of a camapign called PROXYLIB.

Cybercriminals and state actors like to send their traffic through other people’s devices, known as proxies. This allows them to use somebody else’s resources to get their work done, it masks the origin of their attacks so they are less likely to get blocked, and it makes it easy for them to keep operating if one of their proxies is blocked.

An entire underground market of proxy networks exists to service this desire, offering cybercriminals flexible, scalable platfroms from which to launch activities like advertising fraud, password spraying, and credential stuffing attacks.

The researchers at HUMAN found 28 apps on Google Play that turned unsuspecting Android devices into proxies for criminals. 17 of the apps were free VPNs. All of them have now been removed from Google Play.

The operation was dubbed PROXYLIB after a code library shared by all the apps that was responsible for enrolling devices into the ciminal network.

HUMAN also found hundreds of apps in third-party repositories that appeared to use the LumiApps toolkit, a Software Development Kit (SDK) which can be used to load PROXYLIB. They also tied PROXYLIB to another platform that specializes in selling access to proxy nodes, called Asocks.

Protection and removal

Android users are now automatically protected from the PROXYLIB attack by Google Play Protect, which is on by default on Android devices with Google Play Services.

The affected apps can be uninstalled using a mobile device’s uninstall functionality. However, apps like these may be made available under different names in future, which is where apps like Malwarebytes for Android can help.

Recommendations to stay clear of PROXYLIB are:

• Do not install apps from third-party websites.
• Do not install free VPNs.
• Use Malwarebytes for Android.

Victims of novel attacks like PROXYLIB might notice slow traffic, because their bandwidth is in use for other purposes. And at some point their IP address may be blocked by websites and other services.

The researchers included a list of applications they uncovered as part of PROXYLIB. If you installed any of the apps on the list before they were removed from Google Play you will need to uninstall them.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.