New Android vulnerability Strandhogg 2.0 exploits user trust

SuperHappyFunGame, once installed, could steal the focus from unrelated apps.

Cartoon flowchart explaining how a phishing attack works.

Enlarge / Strandhogg 2.0 can be thought of as the ultimate phishing attack. When the user taps a legitimate icon—which could be for email, camera, etc—the malware intercepts the tap and can present a copycat dialog instead. (credit: Promon)

A Norwegian infosec firm discovered a new Android vulnerability, which they've dubbed Strandhogg 2.0. Security firm Promon says "Strandhogg" is an old Norse strategy for coastline raids and abductions, and today's vulnerability is the "evil twin" of a similar one discovered in 2019.

The original Strandhogg used an Android feature called taskAffinity to hijack applications—by setting the taskAffinity of one of its activities to match the packageName of any other app, then setting allowTaskReparenting="true" in its own manifest, the Strandhogg app would be launched in place of the target app.

Imagine tapping the legitimate Gmail icon on your phone and getting what appears to be a legitimate login prompt, pixel-for-pixel identical with the one you'd see if your account had been logged off. Would you enter your credentials? If one of the free games or apps you or a child might have installed was a Strandhogg vessel, you just gave your credentials to an attacker—which might even launch the Gmail application itself immediately after testing your credentials, leaving no obvious sign you had been compromised.

Read 5 remaining paragraphs | Comments

Take $30 off a new Amazon Kindle, our recommended budget ebook reader

Dealmaster also has deals on Anker chargers, wireless headphones, and more.

Take $30 off a new Amazon Kindle, our recommended budget ebook reader

Enlarge (credit: Ars Technica)

Today's Dealmaster is headlined by a nice discount on the Amazon Kindle, which is currently down to $60. That's tied for the lowest price we've tracked for Amazon's entry-level ebook reader and a $30 drop from its usual going rate. The deal also bundles a three-month subscription to Amazon's Kindle Unlimited ebook service, which typically costs $30 on its own. Just note that the subscription will be set to auto-renew at $10 a month once the free period is up, so you may want to set a reminder for yourself if you wish to cancel.

The Kindle is the "best budget" option in our guide to the best ebook readers. We like it for offering a decent 6-inch display with adjustable front lighting that helps it stay visible in darker environments, a lightweight (6.01 oz.) and comfortable design that takes up little room in a bag, solid battery life that lasts roughly four weeks a charge, and Bluetooth connectivity that lets you connect wireless headphones and listen to Audible audiobooks. And like any other Kindle, it comes with access to Amazon's massive ebook library.

To be clear, though, this is priced below Amazon's Kindle Paperwhite, our favorite ebook reader, for a reason. By comparison, the entry-level Kindle's display isn't as sharp, with a 167-pixel-per-inch (ppi) density compared to the Paperwhite's crisper 300ppi display. This won't be a major nuisance unless you're coming from a sharper ereader display, but the Kindle's text is fuzzier, and the drop-off will be particularly noticeable with image-heavy material like comic books and manga. Beyond that, the Kindle lacks the Paperwhite's waterproofing, its display is a tad dimmer due to having one fewer LED front light, it has half as much storage space at 4GB, and its display is recessed from the rest of the design, not set flush à la the higher-end model. In either case, you still have to put up with home-screen ads (unless you pay a one-time fee) and DRM protection that effectively locks your ebook library into Amazon's platform.

Read 2 remaining paragraphs | Comments

Early tests of vaccine for COVID-19 pass peer review, look promising

Based on a harmless virus, the vaccine had side effects but elicited antibodies.

Image of vials and syringes on a tray.

Enlarge / Test doses of another potential SARS-CoV-2 vaccine. (credit: MLADEN ANTONOV / Getty Images)

We still don't know how well a robust immune response protects people from SARS-CoV-2 infection. But we've got a further indication that vaccines can induce a strong immune response. Just prior to the holiday weekend, a Chinese team released the results of a safety trial done using a harmless virus that had been modified to carry one of the coronavirus genes. While there were a number of side effects, everyone getting the vaccine had a robust antibody response, including some antibodies that neutralized the virus.

Familiar virus, new protein

The first indication of progress toward a vaccine that we're aware of came in the form of a company press release. This new one comes in the form of a peer-reviewed article in the prestigious medical journal The Lancet. Most of its authors are academic researchers or public health authorities; only two have affiliations with a company.

The two reports also differ significantly in terms of their approach to generating an immune response. The earlier announcement, from a company called Moderna, involved injecting carefully packed RNAs that encode the spike protein that normally resides on the surface of the virus. The RNAs transit inside a person's cells and induce them to produce the spike protein, thereby exposing the immune system to it.

Read 11 remaining paragraphs | Comments

Daily Deals (5-26-2020)

Every month Twitch offers a set of free games to anyone in the Twitch Prime program (which is a free perk for Amazon Prime subscribers). Usually that means you can get four or five free games — but right now you can snag 16 games, including title…

Every month Twitch offers a set of free games to anyone in the Twitch Prime program (which is a free perk for Amazon Prime subscribers). Usually that means you can get four or five free games — but right now you can snag 16 games, including titles from Daedalic, Wired Productions, and Plug in Digital. […]

YouTube auto-deletes comments with phrases critical of Chinese government [Updated]

“This appears to be an error in our enforcement systems,” YouTube tells Ars.

Protesters in Taipei, Taiwan, demonstrate for granting political asylum to Hong Kongers in January 2020.

Enlarge / Protesters in Taipei, Taiwan, demonstrate for granting political asylum to Hong Kongers in January 2020. (credit: Walid Berrazeg/SOPA Images/LightRocket via Getty Images)

YouTube's software is automatically deleting comments with two phrases critical of the Chinese Communist Party, the Verge reported on Tuesday morning.

“共匪” means "communist bandit." It was a derogatory term used by Nationalists during the Chinese Civil War that ended in 1949. It continues to be used by Chinese-speaking critics of the Beijing regime, including in Taiwan.

“五毛” means “50-cent party.” It's a derogatory term for people who are paid by the Chinese government to participate in online discussions and promote official Communist Party positions. In the early years of China's censored Internet, such commenters were allegedly paid 50 cents (in China's currency, the yuan) per post.

Read 6 remaining paragraphs | Comments

Realme X3 SuperZoom smartphone packs a 120 Hz display and 5x optical zoom (60x hybrid zoom)

Chinese smartphone maker Realme’s newest smartphone gets its name from its camera, which the company says supports up to 60x hybrid zoom (or 5x zoom when using optical zoom only). In fact, the 64MP telephoto camera on the Realme X3 SuperZoom is t…

Chinese smartphone maker Realme’s newest smartphone gets its name from its camera, which the company says supports up to 60x hybrid zoom (or 5x zoom when using optical zoom only). In fact, the 64MP telephoto camera on the Realme X3 SuperZoom is the phone’s primary camera, although there are also 8MP ultrawide and 2MP macro […]

Lenovo Yoga Duet 7i 2-in-1 tablet coming in June

Lenovo’s new Yoga Duet 7i is a 13 inch Windows 10 tablet with a 2160 x 1350 display and support for up to a 10th-gen Intel Core i7 processor, 16GB of DDR4 memory, and 1TB of solid state storage. The tablet has a built-in kickstand, a detachable k…

Lenovo’s new Yoga Duet 7i is a 13 inch Windows 10 tablet with a 2160 x 1350 display and support for up to a 10th-gen Intel Core i7 processor, 16GB of DDR4 memory, and 1TB of solid state storage. The tablet has a built-in kickstand, a detachable keyboard cover (with backlit keys), and digital pen support. […]

Audi fires driver for using a ringer in charity esports race

Other racing drivers say they’ll quit streaming on Twitch as a result.

Daniel Abt in happier times, taking part in a sim race at this year's Santiago ePrix in Chile. After doing unusually well in a sim race this weekend, it turned out Abt had brought in a ringer.

Enlarge / Daniel Abt in happier times, taking part in a sim race at this year's Santiago ePrix in Chile. After doing unusually well in a sim race this weekend, it turned out Abt had brought in a ringer. (credit: Audi Communications Motorsport / Michael Kunkel)

The combination of racing drivers and esports is turning out to be full of drama. When COVID-19 put a stop to real-world racing in March, professional series moved the action, using sims like iRacing and rFactor 2 along with streaming platforms like Twitch to give drivers something to do and fans something to watch. But the transition hasn't been a smooth one for some of the professional drivers, particularly those who had little interest or experience in the simulation side of things before the pandemic.

Audi's Daniel Abt is the latest to discover that it's not just a game when you're being paid to show up. The latest incident took place on Saturday in Formula E's Race at Home challenge, where the sport's real-world stars show up to compete in rFactor 2 to raise money for UNICEF. Set in a virtual version of Berlin's Tempelhof airport, Abt qualified well and raced to third place, a performance that was in stark contrast to his previous esports races. This, and the fact that he was obscured from view in his video feed, raised suspicions among some of the other drivers.

Rage-quitting, racist remarks, now a ringer

Those suspicions had merit. When the esports race organizers investigated, they checked IP address data and discovered the presence of a ringer—sim racing professional Lorenz Hoerzing, who raced pretending to be Abt. Disqualified from the race, Abt was ordered to donate $10,817 (€10,000) to charity. (Hoerzing was also stripped of his sixth-place finish in the companion event held for professional sim racers, and banned from competing in that series again.) After admitting he swapped in Hoerzing, Abt apologized in a statement on Sunday.

Read 4 remaining paragraphs | Comments