Tag Archives: Android corner

Avast

2016: The Year of Spying Microwaves and Hijacked Cars

Leave a comment

The security stakes only seem to be rising when it comes to the threats that affect us as modern-day consumers.

What behavior could a smart appliance reveal about you?

What behavior could a smart appliance reveal about you?

Over the past year, we have seen a list of notable mobile threats that put people’s privacy at risk. Previously unseen vulnerabilities surfaced, such as Certifi-gate and Stagefright, both of which can be exploited to spy on users. Certifi-gate put approximately 50 percent of Android users at risk, and Stagefright made nearly 1 billion Android devices vulnerable to spyware. In 2015, for the first time, cybercriminals were able to attack users on a vast level.

Another mobile threat on the rise in 2015 was mobile ransomware, using asymmetric cryptography, making it nearly impossible to recover the encrypted data on a smartphone. The most common mobile threats in 2015 were adware — often apps disguised as fun gaming apps that provide little value and spam users with ads. We believe that 2016 will be the year in which we see threats moving from smartphones to smart homes — and beyond.

Total number of attacks on Android devices that Avast has detected in 2015

Total number of attacks on Android devices that Avast has detected in 2015

 

2016: Internet-connected devices will spell out your life to anyone who’s curious

In 2015, society has gotten a taste of what the future might look like with the rise of Internet-connected devices. While we’ve now become accustomed to our smartphones, the possibilities for both users and hackers are growing exponentially when it comes to gadgets and systems that comprise the budding Internet of Things (IoT).

We often forget about many of the devices that, in reality, fit into the “smart” category. Smart devices and gadgets can include anything from thermostats to microwaves, smart locks to smoke detectors to children’s toys. Since we make use of these gadgets in our daily tasks and endeavors, an attack on their security could result in dire threats to our privacy and security.

Smart devices, such as household appliances, cars and wearables are basically our life companions. Unlike a smartphone, which holds information about our communications, contacts, photos and videos, smart devices reveal more specific information about our behavior, such as our driving, fitness, and cooking habits, or our children’s learning behavior.

This provides optimal opportunities for hackers to target personal data, including information collected by wearable, Internet-connected devices. What’s more, this data can be used by governments for law enforcement purposes and for businesses, like insurance companies, to restrict payments or medical procedures from people who may have previously made unwise financial or health-related decisions. This year, we could see the first country enact a law that would give certain industries authorization to exploit consumer data through information collected by smart devices.

Ransomware that could turn your devices against you

We already know how dangerous ransomware can be — this aggressive malware family locks individuals out of their devices and renders them useless, leaving users with little choice other than to pay a specified amount of money demanded by hackers in order to regain access to their device. On a smartphone, a factory reset helps to remove the ransomware, and if the user has conducted a backup, the harm is minor. However, if and when ransomware makes its way into the IoT sphere, we must be prepared in order to prevent our own devices from being manipulated and turning against us.

But 2016 could be the year when we witness our first serious car hack. This year, Land Rover has recalled 65,000 cars from the market because of a software bug that could lead to car theft. Taking this point a step further, imagine if your car’s software actually locked you out of your primary mode of transportation. What lengths would you go to if your personal security system locked you out of your own home? There’s a good chance that these issues will need to be dealt with as we move into the heyday of IoT.

Kids’ safety: toys that put children’s privacy at risk

Now, people should think twice before buying their children the newest trinket that they see in the window — while seemingly harmless, children’s toys can be wolves in sheep’s clothing when it comes to security. This can be seen in the recent VTech scandal, around the toy manufacturer of network-enabled learning toys that stored email addresses, physical addresses, passwords, as well as names and birth dates of more than 6 million children without proper protection measures. Another example is the Internet-connected Hello Barbie doll that was vulnerable to hackers who could spy on children talking to their dolls.

These two examples could be the start of an uprising in hacks in 2016 that jeopardize kids’ privacy. No longer are parents the only ones taking photos of their children — with smart kids’ devices storing photo and video footage, leaked files could easily make their way into the wrong hands. These files are then sent to servers, and often, it remains unclear what happens to these files, how they are secured and whether or not they are shared with third parties.

Children’s toys even have the ability to potentially affect a child’s success later in life — if schools choose to examine data supplied and exploited by Internet-connected educational toys, admittance processes could change, resulting in children’s lives being directly affected.

New year, new threats on the horizon

When it comes to dealing with security threats in 2016, the rule of thumb is this: Consumers should always stay one large step ahead of their smart devices. As these gadgets continue to obtain more capabilities and gather more of our information, it’s important that we retain our common sense when managing our security and personal privacy. Making use of security solutions on both computers and mobile devices is a reliable way to ensure that consumers remain in control of what belongs to them. While staying protected, we can confidently look forward to what’s in store as the new year continues to unfold.

 

Avast

Android security updates roll out to fight “Stagefright” type bug

Leave a comment

Android Mediaserver vulnerability looks similar to the Stagefright bug.

Android-malware

Android mediaserver malware resembles Stagefright

Android owners may recall the Stagefright bug, the “worst ever Android vulnerability yet discovered”. That malware exposed a billion (that’s nearly every) Android device on the face of the earth to malware.

The latest critical bug has similarities to Stagefright, but exists in Android’s mediaserver. Google warns that an attacker could use the bug to remotely run malware hidden in video or audio.

In an announcement published in the Nexus Security Bulletin for January, Google said it has fixed 12 vulnerabilities affecting Android versions 4.4.4 to 6.0.1. Five are rated as critical security bugs. Partners were notified about and provided updates for the issues on December 7, 2015 or earlier, said the post.

“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.”

How to protect yourself from the Android bug

The good news is that Google says, “We have had no reports of active customer exploitation of these newly reported issues.” Because of enhancements in newer versions of the Android platform, exploitation for many issues on Android is made more difficult. Regardless, Google encourages all users to update to the latest version of Android where possible.

  1. 1. Don’t ignore updates from Android – when you receive a notification about an update, accept it, and upgrade to the latest version of Android.
  2. 2. Avoid opening video and audio files you receive via text or email. Delete all messages you get, without opening it first, from any sender you do not recognize.
  3. 3. We recommend users disable “auto retrieve MMS” within their default messaging app’s settings, as a precautionary measure for the moment. You can find detailed directions in the Avast FAQ.
  4. 4. Install Avast Mobile Security on your Android devices.

Follow Avast on Facebook, Twitter, YouTube e Google+ where we keep you updated on cybersecurity news every day.

 

Avast

Notes from the 2016 AT&T Developer Summit

Leave a comment
The 2016 AT&T Developer Conference took place on January 2-5 in Las Vegas, Nevada.

The 2016 AT&T Developer Conference took place on January 2-5 in Las Vegas, Nevada.

For nearly 10 years, AT&T has been bringing an annual developer conference to their partners and collaborators. This year, they creatively chose to combine their conference with a hackathon in order to encourage the participation of budding developers and to support young talent in achieving career-related goals.

This year’s conference and hackathon, which took place on January 2-5 in Las Vegas, Nevada, was packed with an array of topics split into six main sessions: devices and wearables, IoT, real-time communications, video, network advances and the connected home.

I’ve put together several of the sessions that stood out to me as especially relevant to the evolution of today’s technology.

Your world, protected and connected // Stephen Vincent

Abstract: Interactive security and home automation systems are evolving to become effortless for end users. Devices like smart thermostats learn the routines and patterns of users to ensure the consumer is returning home to their optimal temperature, thus increasing comfort and lowering home energy costs. Voice command and response systems allow users to speak naturally to their home security and automation system without learning complicated rules or programs. Lawn sprinklers and window blinds can be controlled by weather data indicating rain or shine. A day’s worth of user-generated surveillance video can be reviewed for significant events quickly and at the user’s convenience. Securing the home is a great benefit, but what about securing the personal IoT for the end user when not at home? In this session, we’ll discuss how Digital Life is a key contributor in the latest industry trends. We invite the developer community to join us on our quest to put the connected home to work for the end user.

View the slides from this session here.

Smartphones and beyond :Technologies for devices and IoT // Ginger Chien

Abstract: Smartphones, which will still be dominant in people’s lives for some time to come, have reached a state of maturity. This year’s phones will see mostly incremental advances offering improved capability and performance. Yet the smartphone will play an essential role through its familiar power and presence that will support the rising category of connected IoT devices, whether those be personal, wearable, distributed, or other forms yet to be seen. Join this session to learn about advances in the areas of smartphone and IoT device technology as well as get an idea of what the future of devices may hold.

View the slides from this session here.

Monetizing behavioral data analytics // Carole Le Goff and Dr. Brian Eriksson

Abstract: What can your home discover about your habits? When does a change in behavior at home demand intervention? How does this differ when considering yourself, or your teenager, or your mother across the country? This information can all be learned from home IoT sensor data combined with intelligent analytics, which can help you make a decision about how to act. Unfortunately, there is a wide gap between raw sensor data and actionable information. In this session, we will discuss gleaning behavioral context from this data and initial use cases to monetize this information. We’ll describe the science and challenges behind learning from IoT sensor data from the point of view of marketers and product managers explaining new revenue generating services as well as software engineers and data scientists.

View the slides from this session here.

Best Practices for the Unknown: Wearables, Devices & Things // Bill Weir and Pete Rembiszewski

Abstract: There are exciting new areas to explore in the bold new world of IoT and wearables, but there are also big land mines waiting for developers. Not only will we cover issues such as standards, security, network issues, data overload, and privacy, but also actionable tips, strategies, and techniques that developers can use to mitigate the risks.

View the slides from this session here.

As announced at the AT&T conference, a new tool called AT&T ARO helps users analyze their apps’ performance. Users can utilize the free diagnostic tool to improve their battery life, data usage, and responsiveness.

In addition to these valuable sessions led by highly talented speakers, Kevin Spacey was in attendance as the conference’s celebrity speaker. Spacey delivered a quality talk that emphasized the importance of companies making an effort to support and motivate young developers and IT professionals in their career paths.

This year’s AT&T conference and hackathon was a unique and educational experience. At Avast, we’re already looking forward to next year’s event!

Follow Avast on FacebookTwitterYouTube e Google+ where we keep you updated on cybersecurity news every day.

Avast

Mutating mobile malware and advanced threats are on the horizon as we approach 2016

Leave a comment
Bad guys know that people are moving their computing to mobile, so they are adapting

Bad guys know that people are moving their computing to mobile, so they are adapting

Yesterday, we walked you through a set of our 2016 predictions in regards to home router security, wearables and the Internet of Things. In addition to these important topics, mobile threats are not something that should be ignored as we move into 2016.

“Most people don’t realize that mobile platforms are not really all that safer or immune from attack then desktop platforms,” said Ondřej Vlček, COO of Avast. “Most people use mobile devices in a more naive way then they use a PC because they just don’t understand that this is a full blown computer that requires caution.”

 Hackers have done their homework to prepare for the new year

Over the course of this year, we’ve seen a list of notable mobile threats that jeopardized the privacy and security of individuals. Our own mobile malware analyst, Nikolaos Chrysaidos, has a few ideas about several issues that could crop up in the new year:

  • Android malware that can mutate. This superintelligent family of malware is capable of altering its internal structure with new and improved functions, changing its appearance, and if left unmonitored, spreading on a viral scale. And yes, this concept is just about as scary as it sounds.
  • More security vulnerabilities that can be exploited as a result of fuzzing. This year, there was a good amount of research on fuzzing, making it more and more of a familiar concept to both good and bad guys within the digital world. Fuzzing is a technique that is used to discover security loopholes in software by inputting massive amounts of data, or fuzz, into a system with the intent of overloading and crashing it. Next year, these vulnerabilities could look similar to Stagefright, the unique and dangerous vulnerabillity that, when exploited, left mobile devices vulnerable to spyware.
  • Smarter social engineering techniques. Now that most people know about certain vulnernabilities and their potential consequences, hackers can take advantage of this knowledge and use it to their advantage. For example, a hacker could trick users into installing their malware by telling them that an MMS is waiting for them but can’t be sent via text message due to risks associated with the Stagefright bug. Users are then prompted to click on a malicious download link. Although we could see more of these advancements in 2016, the concept isn’t completely new – this year, an example of this type of technique could be seen within OmniRat spy software.
  • APTs on mobile. In 2016, Advanced Persistent Threats (APTs) could be used to target politicians. This could be accomplished by using spyware (similar to Droidjack or OmniRat) in combination with specific social engineering techniques that could aid hackers in gaining access to powerful and influential individuals.

With this list of potential threats and risks in mind, it becomes clear that our mobile devices hold more value than just our apps and contacts. As hackers‘ techniques grow smarter, it’s important that we do the same in regards to the way that we approach our security.

Protect your Android devices with Avast Mobile Security. That and other apps like our new Wi-Fi Finder and Avast Cleanup & Boost are free from the Google Play Store.

 

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

In 2016, your home will be a target for hackers

Leave a comment

Your home and the devices in it will be a viable target for cybercrooks in 2016.

Back in the good ol’ days of the early 2000s until just a few years ago, all we had to be concerned about was security on our desktop computers and laptop. In the intervening years, mobile devices have become so ubiquitous that hackers have turned their sights on them, especially Android devices.

But starting in 2015, everyone began to realize just how close to home cybersecurity really is. Home networks are the new gateway, and 2016 will be the year that vulnerabilities in the Internet of Things (IoT) and wearable devices combined with weak home router security will lead to personal attacks.

Our internet-connected world will be increasingly difficult to secure

Our internet-connected world will be increasingly difficult to secure

The weak link is your home router

“The security situation with home routers is actually pretty bad,” Ondrej Vlcek, COO of Avast told Fast Company. “Most of the companies do a relatively good job of . . . patching the vulnerabilities, but the problem is that no one updates the firmware in the routers. The user doesn’t at all, and usually the ISP doesn’t either.” He added that we saw the most attacks on routers by far in 2015.

“Right now, attackers are targeting routers en masse,” said Pavel Sramek, an Avast Virus Lab research analyst. “It’s highly probable that they’ll expand their target list to network-attached storage  and “smart” TVs as well, since the security aspect of these devices has been almost completely neglected by their manufacturers so far.”

“Many of the companies and engineers don’t really think about security,” says Vlcek. Data, for example, is often transmitted without any encryption, making it easy to steal or fiddle with.

Since this is the time of year to look forward, I asked several of our Avast Virus Lab research analysts about what to expect in 2016 for home networks, wearable devices, and all the gadgets that make up the Internet of Things.

Router and ethernet cable

2015 was the biggest year for router attacks

Is it easy for hackers to break into home networks and is there enough motivation at this time to go to the trouble?

As it stands now, home networks are still not the easiest way for cybercrooks to hack into people’s lives, our team of experts agreed. “Not the easiest way, but too easy to be comfortable with,” said Sramek.

“As more and more devices are becoming smarter and connected to the net, through the Internet of Things, cybercrooks will have more chances to get into the personal home network,” said Sramak’s colleague in the Virus Lab, Nikolaos Chrysaidos.

The motivation is already there too.

“For years, (PC) viruses were the ultimate goal for the bad guy. The goal was to get their hands on users’ data, like credit card information, or to create botnet networks to allow them to send out spam or to do DDoS (distributed denial of service) attacks,” said Vlcek. In a similar manner, cybercrooks have already started to turn internet-connected home devices into “zombies to collect data.”

“The amount of attacks will rise rapidly in 2016,” said Sramek. “Turning IoT devices into zombies is half of their plan. The other is hijacking the network connections of users with devices that are difficult to attack otherwise, like iPhones.”

How do regular people make their home gateways smarter and more secure?
“As a bare minimum, people need an automated vulnerability scanner on a PC in their network, like Avast’s Home Network Security, to check for the most common issues leading to cyberattacks,” said Sramek.

Since we’re still in early days, can threats for IoT devices be eliminated before it gets out of control?

Just like with PC and mobile security, home users can prevent many attacks by applying safe practices and using existing solutions like Avast’s Home Network Security to understand what the vulnerabilities are.

Jaromir Horejsi adds that in addition to educating users about badly configured and insecure home IoT devices, we could use “more secure web browsers, because Firefox, Chrome, and IE are so easy to hack.” He predicts that cybercrooks will create DDoS malware to infect various IoT devices with weak passwords and it will take a combination of home user’s knowing what they’re up against along with manufacturers and ISPs taking more responsibility for safety to overcome the looming threat.

Do you expect to see an increase in attacks through wearable devices?

“In 2015, we have seen many vulnerabilities in wearables. Those vulnerabilities could be used by attackers to extract stored data and use them in personalized social engineering attacks,” said Chrysaidos.

“Today we are seeing a big shift toward social engineering attacks which are ingenious and sophisticated,” said Vlcek. Social engineering uses techniques to trick people into installing malware or adjusting settings that they don’t fully understand.

The biggest target for 2016 is mobile

Phones and tablets are the data collection points for most wearables and Internet of Things devices, so they are targeted for the data they store or the data that passes through them. Mobile devices – smartphones and tablets – are where people are now, and the bad guys know this.

“Bad guys today realize that most people are moving their computing to mobile,” said Vlcek. “They are catching up by coming up with new techniques that gets the job done even without malware.”

“Phones store a lot of personal information nowadays that can be monetized in underground forums. As valuable data exist in our devices those can be treats, and targets, for the cybercrooks,” said Chrysaidos.

Visit our blog tomorrow to read about the upcoming mobile threats for 2016.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

 

 

Avast

Find free, safe Wi-Fi hotspots with Avast’s new Wi-Fi Finder app

Leave a comment
Avast Wi-Fi Finder helps you automatically connect to the nearest free Wi-Fi in your range

Avast Wi-Fi Finder helps you automatically connect to the nearest free Wi-Fi

Avast Wi-Fi Finder saves your data and roaming fees by locating safe and reliable connections.

Install Avast Wi-Fi Finder now on your Android device.

Everyone loves free Wi-Fi. You can surf the web, check your email or newsfeed, make Skype video calls across the world, or stream games, movies, and music – without eating up your data plan. That’s a great deal! Or is it?

The problem with free Wi-Fi hotspots is they can’t be trusted to be safe and keep your data secure. Cybercrooks can eavesdrop on your conversations and even break in to steal personal information.

When you need to find safe Wi-Fi, use Avast Wi-Fi Finder

Our new mobile app, Avast Wi-Fi Finder, lets you instantly search for available networks on the map or browse through a list. Wherever you are in the world, you can always find a safe connection, because after a successful beta test, we launched the app with nearly 800,000 networks in our database. The more people who use Avast Wi-Fi Finder, the bigger and better that database will become.

Avast Wi-Fi Finder also tests the speed of the network and performs our unique Wi-Fi security check. In case a vulnerability is found, you can easily protect yourself with the integrated app Avast SecureLine VPN (a small fee applies).

Android users: Learn more about Avast Wi-Fi Finder or visit the Google Play Store to download Avast Wi-Fi Finder. You can thank us by leaving +1s and 5-star ratings on the Play Store with a review to help the next person.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

 

Avast

Protect your phone while traveling for the holidays

Leave a comment

Traveling can be stressful, but even more so during the holiday season. AAA projects that the number of year-end holiday travelers in the U.S. will top 100 million for the first time on record. Nearly one in three Americans will travel this holiday season and more than 100.5 million are expected to travel than 50 miles or more from home.

Avast mobile apps help protect your smartphone when you are traveling

Avast mobile apps help protect your smartphone when you are traveling

The one thing you really want to make sure you protect while you travel is your smartphone. Not only may you have your boarding pass on your smartphone, but more importantly, the hardware is expensive and it most likely contains a plethora of personal data.

There are two main ways your phone could be compromised while traveling, especially during the holidays: physical device loss and network threats.

Have an anti-theft app installed

Airports and train stations will be bustling with people, you may have to dash to catch a flight or make a pit stop during a long car ride. In all of these situations, your phone is at risk –physical risk. Pickpockets prefer to work in high density areas, and it’s easy to lose things like your phone when you’re in a rush.

If you lose your phone, Avast Anti-Theft can help protect your data and help you find your phone.

With Anti-Theft, you can accomplish the following:

  • Remotely locate your phone on a map via GPS, Wi-Fi or mobile network
  • Remotely lock your phone
  • Be notified about a SIM card change — the new number and GPS location will be sent to your pre-selected friend
  • Remotely activate an alarm
  • Remotely wipe your phone
  • Remotely lock your phone’s settings app

Use a VPN when connecting to public Wi-Fi

Besides physical loss, your smartphone can be compromised when using public Wi-Fi. Using software that is readily available on the Internet, anyone can snoop on Wi-Fi traffic if they are connected to the same network as you are. This means they can see the websites you visit and, in some cases, even capture login information, which is why it is vital to use a VPN. VPN stands for virtual private network and serves as a private tunnel that encrypts your data while connected to open Wi-Fi and, thus, protects your data from being intercepted and read.

Avast SecureLine VPN is a great, affordable, one-click VPN. In addition to protecting your data, you can also choose which of the many Avast servers located around the world that you want to connect through. This allows you to circumvent geo-restrictions, so you can view content from your home country while traveling abroad.

Happy holidays and safe travels from Avast!

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

Retailer’s apps reveal your Christmas list to the public

Leave a comment

By using some retailer’s apps to make your holiday wish list, more people than just Santa Claus can see your list. In fact, it may be accessible to anyone over the Internet!

Santa Claus

America’s most popular retailers collect more information about you via apps than you may be comfortable with.

Recently, the Avast Security Warriors began looking into shopping apps to see what your favorite retailers know about you. They found that these apps, like many other apps out there, collect data and request permissions that are unnecessary for their app to function properly.

Initially, we were curious to see what retailers wanted to know about their customers based on the data they collect. We randomly chose apps from the following retailers: Home Depot, J.C. Penney, Target, Macy’s, Safeway, Walgreens and Walmart. In this blog post, we focus on Target and Walgreens.

You’re making your list and Target is checking it twice!

If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and email addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, email addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.

 

An example of the data that we were able to obtain via Target’s API

An example of the data that we were able to obtain via Target’s API

Target doesn’t know if you’re naughty or nice, but they do know who you are 

We took the 5,000 random inputs, and out of curiosity, looked at which brands appear on their registry the most, which states the Target app users are from, and what the most common names of people using Target’s app are.

The top 10 brands on Target app users’ registries

The top 10 brands on Target app users’ registries

 

Map showing where the 5,000 app users are from within the U.S.

Map showing where the 5,000 app users are from within the U.S.

There were more than 1,700 unique names in our sample – these are the top 20 names of Target app users.

Jasmine           162
Jamie               132
Jessica            79
Ashley              67
Jackie              67
Jordan              64
Amanda            58
Jennifer            55
Sarah               45
Jacqueline        41
John                 39
Megan              38
Dominique        36
Heather            34
Amber              33
Jade                 33
Melissa            32
Stephanie         32
Katie                31
Brittany            30

In addition to collecting personal data, the shopping apps we looked at also request a plethora of permissions.

The prize for the most unnecessary permissions requested by a retail app goes to…

Walgreens logoIf you want to choose a shopping app based on the amount of unnecessary permissions it collects then Walgreens is the app for you!

The Walgreens app not only requests permissions that are completely unnecessary for its app to function, but also requests more permissions than any of the other retail apps we looked at – see screenshot below. The Home Depot app came in close second in terms of unnecessary permissions requested.

Walgreens app

 

The Walgreens app has permission to change your audio settings, pair with blue tooth devices, control your flashlight, and run at startup – completely unnecessary for the app to function properly. On the bright side, these retail apps aren’t the most permission-hungry apps we have ever seen, in fact compared to other apps out there they are decent.

But, now imagine what could happen if this valuable customer data landed in the wrong hands. The ways this data could be misused are far and wide. It is, therefore, important that people are aware of how many permissions they grant the apps they use and understand what data the apps collect.

Stay tuned for more as we investigate the vulnerabilities of mobile apps and the need for mobile security.

Continue reading Retailer’s apps reveal your Christmas list to the public

Avast

Autumn 2015: A season full of Android conferences

Leave a comment

David Vávra is our team’s talented Google Developer Expert (GDE) for Android. Throughout this autumn, he attended a collection of valuable Android conferences. In this post, David walks us through his experiences and outlines his most interesting takeaways from the conferences.

Droidcon Stockholm (September 3-4)

 

Droidcon Stockholm was a two-day event held in Debaser Medis, a classic rock club in Stockholm. As you might imagine, it proved to be an interesting venue for a tech conference! The organization was  a little more “punk” than most other conferences, but the conference was still jam-packed with talks containing strong content and served as a great opportunity to network with fellow industry professionals. Fun fact: Czech beers are quite popular in Stockholm. We visited a place where they served five different Czech beers on tap.

One talk that I found to be especially useful discussed building Android SDKs from Fabric, a platform for mobile developers from Twitter. It was also interesting to take a closer look at Spotify’s automated testing environment in a talk Sustainable test automation. As for me, my presentation at the conference dealt with Android TV development. All the Droidcon talks can be found here.

Droidcon Greece (September 11-12)

 

This year’s Droidcon Greece was the very first Droidcon event in the country. It was organized by the very enthusiastic GDG Thessalonikigroup. Based on the number of attendees present, it was a smaller conference, but I loved it. G(r)eeks (Greek geeks) showed us true Greek hospitality. We had a tour of beautiful Thessaloniki and many parties along the way. Did you know that Greeks usually go to restaurants around 11 p.m. and start eating around midnight? Needless to say, we didn’t sleep much.

All talks were recorded. I suggest watching a talk about Kotlin on Android from Jetbrains — it really shifted my point of view on the language. Java 7 is so outdated now! I also enjoyed a workshop about RxJava from Big Nerd Ranch. You can do the workshop yourself here. It’s an innovative approach to learning a new language — it’s based on tests that all fail in the beginning, and your job is to make them ‘green’. At Droidcon Greece, I delivered a talk about Doze Mode & App Standby in Android M. All talks from the conference can be found here.

Big Android BBQ Amsterdam (November 12-13)

 

Big Android BBQ is a new conference brand with roots in Texas. It’s primarily supported by Google and is known for a less formal environment (and a real BBQ party!). This autumn, the conference came to Europe for the first time, so I gave it a shot. The conference itself was fine, and the content of the talks was strong. However, I had a few reservations about the organization of the event. There wasn’t sufficient care given to speakers, and we had to organize the speaker’s dinner by ourselves. Additionally, talks were not recorded. Nevertheless, we did have a great time in the end, and Amsterdam is a charming city.

I recommend a talk, Testing it & Loving it, from Marks & Spencer; if you don’t have automated tests yet, this talk will make you start. I also enjoyed  Event Buses: The @channel of Android Architecture from Big Nerd Ranch –it showed fitting examples from real life which illustrate when and when not to use event buses. I gave an updated talk about Doze Mode & App Standby in Android M. All of the talks can be found here.

Google Experts Summit (November 19-20)

 

gde-summit

The Google Experts Summit is one of the best perks of being a GDE. Google invites us once a year for the summit in Mountain View, California. It’s two days full of deep technical insights with product teams and lot of networking with other experts. The networking was probably the best — I met many exceptional people from all over the world. This year, GDEs were joined by marketing, design and product experts, making it the biggest summit ever with around 200 attendees present.

We had some really interesting sessions based on our expertise. I was part of a focus group in which Google shared some very confidential early prototypes. We were fortunate enough to be able to play with the prototypes and gave feedback directly to Googlers. I’m grateful that Googlers take the GDE program so seriously.

Android Dev Summit (November 23-24)

 

Android Dev Summit was a blast. I would summarize it as mini Google I/O focused only on Android. The conference was less show, more technical deep dives and direct access to Googlers from Android framework and tools teams. It appropriately took place in the geekiest venue in Silicon Valley — the Computer History Museum.

All the talks from Android Dev Summit are recorded in high quality. The highlight of the event is, of course, the introduction of Android Studio 2.0 with Instant Run, which should drastically speed up the Android development lifecycle. Watch What’s new in Android Studio to get all the details. The best talk for me was probably Android Studio for Experts. It was all live demos of various features in our favorite IDE, which included mostly tips and tricks for underlying IntelliJ IDEA. There are many small frustrations in everyday development, which the IDE elegantly solves. It was great to have direct access to Android celebrities like Chet Haase, Chris Banes, Tor Norbye, Reto Meier, Dianne Hackborn and others. Fireside chats with all of them were both funny and informative,and lots of burning questions were answered. Check out the fireside chat with the framework and tools teams.

I’m grateful that Avast supported me in attending all of these conferences and am looking forward to another conference season!

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.

Avast

How many people connect to unknown Wi-Fi hotspots without even knowing?

Leave a comment

An Avast team calling themselves the Security Warriors, comprised of intra-departmental specialists, are running experiments in the streets of San Francisco. They spent a few days setting up the first of them and have already gathered some interesting statistics. In Filip‘s words, here is what they have done so far and what they want to achieve. 

Security Warriors

Filip Chytrý , president of mobile Gagan Singh, Bára Štěpánová, Jaroslav Slaby, and Vladislav Iliushin. Not pictured: Ondrej David

One of our first experiment’s objectives is to analyze people’s behavior by seeing how they have their devices preset in terms of outside communication. We didn’t have to go far to find out – it’s pretty disturbing. Currently, we have a variety of devices prepared for different traffic experiments but now we are using them for one really easy target – to analyze how many people connect to a fake hotspot. We created fake Wi-Fi networks called Xfinity, Google Starbucks, and Starbucks. From what we’ve noticed, Starbucks is one of the most widespread networks here, so it’s pretty easy to get people’s devices to connect to ours.

wifi hotspot

Wi-Fi networks screen

 

What is the problem we’re trying to point out?

Once your device connects to a known SSID name at your favorite cafe, the next time you visit, it will automatically try to connect to a network with the same name. This common occurrence becomes a problem because it can be misused by a hacker.  Armed with some basic information, a hacker can figure out what you are doing and even which device you have. It is just a matter of time to come up with the right technique to hack into your device. After a day of walking around with my tablet, we gathered some telling statistics. DHCP leases From data we gathered in seven hours, we found that 264 people connected to our fake Wi-Fi networks and generated 512,000 data packets*.

  • 52% connected from an Apple device
  • 42% connected from an Android device
  • 10% connected from a tablet or notebook

 

traffic distribution

Percentage of traffic distribution generated from those devices

  • 70% of them have the Facebook app installed
  • 30% of them have the Twitter app installed
  • 30% of them accessed a Google-related service
  • 20% browsed a webpage

What is on our tablet?

The device used for this experiment is a pretty simple off-the-shelf Nexus 7 with a rooted LTE modem. We set up fake hotspots and used tools to catch TCP dumps. Later on, we analyzed who was doing what. Nothing hard at all. Our hotspots are movable, so I have one tablet with me at all times with a fake Wi-Fi network called Google Starbucks. If you see that hotspot somewhere in town,  you might want to watch your device more carefully. ;-) Did I mention we did this using only a tablet? We do have a couple of other things up and running, but that‘s something for another blog.

Golden Gate bridge

Traffic flowing over the Golden Gate Bridge

If you want to be involved and aware of how these things work, you can catch up with us in San Francisco. Up until now, we have let the traffic flow as it should and gathered data, but next, we‘ll play a bit with redirection. :-) *A packet is the unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.