Snowden latest: NSA planned sneak attacks on Android app stores

First Look The /e/ Foundation's de-Googled version of Android 10 has reached the market in a range of smartphones aimed at the privacy-conscious.

The idea of a privacy-centric version of Android is not new, and efforts to deliver are becoming friendlier all the time. The Register interviewed the founder of the /e/ Foundation in 2020, and reported on /e/ OS doing rather well in privacy tests the following year. Back then, the easiest way to get the OS was to buy a Fairphone, although there was also the option of reflashing one of a short list of supported devices.

Now there's another option: a range of brand-new Murena phones. The company supplied The Register with a Murena One for review, with a pre-release version of the /e/ OS installed.

A Linux distro for smartphones abandoned by their manufacturers, postmarketOS, has introduced in-place upgrades.

Alpine Linux is a very minimal general-purpose distro that runs well on low-end kit, as The Reg FOSS desk found when we looked at version 3.16 last month. postmarketOS's – pmOS for short – version 22.06 is based on the same version.

This itself is distinctive. Most other third-party smartphone OSes, such as LineageOS or GrapheneOS, or the former CyanogenMod, are based on the core of Android itself.

A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

Researchers at the University of California San Diego have shown for the first time that Bluetooth signals each have an individual, trackable, fingerprint.

In a paper presented at the IEEE Security and Privacy Conference last month, the researchers wrote that Bluetooth signals can also be tracked, given the right tools.

However, there are technological and expertise hurdles that a miscreant would have to clear today to track a person through the Bluetooth signals in their devices, they wrote.

Microsoft is continuing to lavish love on Android for Windows with an update to Android 12.1 that disables telemetry by default, although, as Microsoft notes, "this update may cause some apps to fail to launch."

Such are the delights of living on the bleeding edge of Windows test builds.

The update for the Windows Subsystem for Android arrived at the end of last week in the Windows Insider Dev Channel and comprises Android 12.1, a new settings app, and Windows integration improvements.

Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm's Predator spyware in at least three campaigns in 2021, according to Google's Threat Analysis Group (TAG).

The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware. 

Based on CitizenLab's analysis of Predator spyware, Google's bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.

Google IO Google I/O, the ad biz's annual developer conference, returned to the Shoreline Amphitheater in California's Mountain View on Wednesday, for the first time in three years. The gathering remained largely a remote event due to the persistence of COVID-19 though there were enough Googlers, partners, and assorted software developers in attendance to fill venue seats and punctuate important points with applause.

Sundar Pichai, CEO of Google parent Alphabet, opened the keynote by sounding familiar themes. He leaned into the implied sentiment, "We're here to help," an increasingly iffy proposition in light of the many controversies facing the company.

He said he wanted to explain how Google is advancing its mission in two ways, "by deepening our understanding of information so that we can turn it into knowledge and advancing the state of computing so that knowledge is easier to access no matter who or where you are."

A study has found more outdated apps in Apple's App Store and Google Play than actively updated ones. 

Analytics biz Pixalate – the outfit behind the study, titled The Abandoned Mobile Apps Report – told The Register its figures appear "to support Apple's apparent desire to 'clean up' abandoned apps," despite the unpopularity of the announcement with developers. The iGiant last month threatened to wipe away software from its store that hasn't been updated for a significant period of time.

The report consists of data from crawls of the Android and iOS app stores to look for what Pixalate classified as abandoned apps – those that have gone two or more years without an update. Between the two stores in the first quarter of 2022, Pixalate said it found more than 1.5 million abandoned apps, amounting to 33 percent of the more than five million apps it told The Register it examined. 

Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That's seven critical bugs, 66 deemed important, and one ranked low severity.

At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code.

After April's astonishing 100-plus vulnerabilities, May's patching event seems tame by comparison. However, "this month makes up for it in severity and infrastructure headaches," Chris Hass, director of security at Automox, told The Register. "The big news is the critical vulnerabilities that need to be highlighted for immediate action."

Arch tinkerer Gustave Monce has demonstrated Windows 11 running on a first-generation Surface Duo.

The Duo is famously an Android device but, fresh from showing that Windows 11 could be coaxed into running on a Lumia Windows Phone, Monce has worked his magic on Redmond's first effort at a foldable handset.

While Monce's work on the Lumia 950XL was more of an intellectual exercise, getting both screens working on the Duo is undeniably impressive. His adventures have been well documented on Twitter, with the engineer observing: "I think there might be a performance ~~gap~~ ocean between this and the Lumia 950 XL. Crazy what 4 years did in terms of SoC performance. Oh and thermals are very good."