[News] Big problems with Google mobile apps

In this week’s news, two stories about Google apps raised some eyebrows.

Most app providers adopt the policy that no app should contain any surprise purchases. While investigating the Google Play store,  anti-malware company Avast discovered 151 apps that contained a code to fool users into accepting premium SMS subscriptions that can cost up to $40 a month. These scammy subscriptions hide within games, photo editing apps, QR code scanners, and other apps. Dubbed the UltimaSMS campaign (because Avast first discovered the code within the app Ultima Keyboard 3D Pro), the apps have been downloaded over 10 million times in 80 different countries, according to BGR.

According to Avast’s researchers, once these subscriptions begin, users cannot cancel even if they uninstall the apps. The only way to stop these hidden charges is for a user to contact their mobile carrier to request that the carrier disable their premium SMS messages.

Google has removed all of the apps from the store, but Avast points out that for those who have already installed the apps, uninstalling them does not cancel the billing. PC Magazine recommends that all Android users review their billing statements for Premium SMS charges and contact their mobile phone carrier to stop any charges that resulted from this scam.

Meanwhile, Google users might want to take a look at their mobile settings if they’re concerned about giving away their location data for free to advertisers. Zak Doffman, a cybersecurity expert at Forbes, reported that the Chrome browser collects accelerometer data on mobile phones. This data is tracking users’ movements and other data from mobile users to determine which ad content users are viewing and interacting with. (Last month Doffman leveled the same accusation against Facebook, which collects location data on users even if they turn location services off, and even on iOS devices).

The revelation about the mobile Chrome browser originates with Tommy Mysk, an iOS developer & security researcher. According to Mysk, and as quoted by Fossbytes, “an app [with accelerometer access] can tell if you are browsing while lying, sitting, walking, or cycling.” Fossbytes goes on to explain how Chrome then shares this data with every other website you visit, potentially undermining iOS security options. 

Privacy advocates ask why Chrome would need access to accelerometer data at all. It’s used by fitness tracker apps and maps that need to know your location, but why would a web browser need such data? 

If you want to stop sending all of your activity data to Google, you can disable Chrome’s access to motion sensors in the Android Site Settings, but you will need to disregard Google’s not-so-subtle nudge to keep it on. Or you can do what many tech websites are suggesting, which is to delete Chrome from your mobile devices until Google fixes this data leak. 

In other news

• Microsoft rolls out new workplace surveillance. Microsoft will soon add new “administrator visibility on browsers” and machine learning detectors to Microsoft 365, as documented in their 365 Rollout page. What this means is that companies may soon be able to review everything their employees are doing within their web browser and via their Internet connection. ZDNet suggests that these new rollouts are to help companies protect sensitive internal documents and thwart whistleblowers, but can also serve to monitor all of their employees. As ZDNet notes, “The more companies descend spy software upon their employees — especially employees working from home — the less trust can exist between those who work and those who manage.”
• REvil ransomware hacker arrested. The U.S. Justice Department announced the arrest in Poland of Yaroslav Vasinskyi, a 22-year-old Ukrainian national allegedly connected to the hacking group REvil. As Gizmodo reports, the authorities also seized over $6 million in ransomware payments. Furthermore, they announced charges against  Yevgeniy Polyanin, a 28-year-old Russian national, who has not yet been apprehended. The REvil hackers are blamed for the ransomware attack on Kaseya that we reported on back in July. In an official statement, FBI Director Christopher Wray said, “We will continue to broadly target their actors and facilitators, their infrastructure, and their money, wherever in the world those might be.”

• Satellite wars are heating up. Amazon is seeking approval from the Federal Communications Commission to send 7,774 satellites into space as part of its Project Kuiper, in its efforts to bring broadband Internet to more people around the world. These satellites will compete with the Starlink network being created by Elon Musk’s SpaceX and Boeing Co’s recently-approved 147 satellites, all designed to boost broadband access for all. As the race to provide broadband continues, maybe those of us stuck with slow cable Internet will finally have another option.

• Mini-robot squads in space. NASA engineers are working on tiny robots that can team up to explore the moon or Mars. Creating teams of small robots the size of a shoebox, each equipped with a small camera, wireless radio, and computer, is the job of NASA’s Cooperative Autonomous Distributed Robotic Exploration (CADRE) project. Technology Review explains how these scientists hope to eventually be able to collect information from places larger rovers can’t reach, such as lava tubes. And with a group of robots working together, the redundancy means data could be salvaged if one goes offline. 

• A Lego moon mission. In other NASA news, ZDNet reports that the space agency has teamed up with Lego Education to send two Lego figurines to the moon. In a partnership created to encourage children to learn more about space exploration, the Artemis I mission will include Command Pilot Kate and Mission Specialist Kyle, both Lego figurines. President of Lego Education Esben Stærk, said, “Our hope is that including Kate and Kyle in this space mission will excite students about the possibilities of STEAM careers and engage them in their own learning journey.” 

Tip of the week

Smartphone apps can be lifesavers, providing entertainment and services with the tap of an icon. But apps take up a lot of space in your phone’s memory, monitor your behavior, and, as we’ve mentioned, occasionally scam you. To remedy these problems, try using mobile websites instead. 

The biggest companies in the world have spent millions of dollars developing user-friendly mobile websites, many of which function exactly like their apps. Walmart, McDonald’s, NPR, Reddit, and even Amazon have mobile sites that can be hard to distinguish from their apps. Twitter’s mobile site is arguably better than the app, allowing you to scroll your feed and retweet at lightning speed. 

With mobile sites, there are no additional downloads and no excessive permissions. Just bookmark your favorite sites and go. Bonus tip: get the Brave mobile browser with built-in ad blockers for added privacy.