Google Play full of Trojans

Cybersecurity experts from SecneurX have recently compiled a long list of Google Play apps infected with dangerous Trojans, including:

  • Color Paint & Draw Master – Harly Trojan
  • Real Photo Editor - Joker Trojan
  • Coloring Painting - Joker Trojan
  • Happy Voice Changer - Harly trojan
  • Emoji Live Wallpaper - Joker trojan
  • Screen Mirroring Cast - Joker Trojan
  • Advanced Cast Screen - Joker Trojan
https://twitter.com/SecneurX/status/1619202483993169920?s=20&t=BrBOAe-mab7qbxXVT6DCBw

What can the Joker and Harly Trojans do?

A trend is emerging from the above reports. Most often, mobile applications with Joker and Harly Trojans impersonate relatively simple applications. Some of them are games, others are used for simple entertainment or personalization of the smartphone by changing the wallpaper or screensaver. Screen mirroring and screen casting applications are also popular. Viruses are designed to steal data, e.g. taking over our contacts or reading e-mails, text messages or conversations on messengers. Malware can also enable premium services and charge us a high phone bill.

Source: SecneurX 

Kotlin 1.8.0 Released

The Kotlin 1.8.0 release is out.
Here are some of its biggest highlights:

  • New experimental functions for JVM: recursively copy or delete directory content
  • Improved kotlin-reflect performance
  • New -Xdebug compiler option for better debugging experience
  • kotlin-stdlib-jdk7 and kotlin-stdlib-jdk8 merged into kotlin-stdlib
  • Improved Objective-C/Swift interoperability
  • Compatibility with Gradle 7.3

more: https://kotlinlang.org/docs/whatsnew18.html

KotlinDL 0.5 is out!

According to the latest blog post we now have quite interesting features on Android:

Version 0.5 of our deep learning library, KotlinDL, is now available! This release focuses on the new API for the flexible and easy-to-use deployment of ONNX models on Android. We have reworked the Preprocessing DSL, introduced support for ONNX runtime execution providers, and more. Here’s a summary of what you can expect from this release: […]

More:
https://blog.jetbrains.com/kotlin/2022/12/kotlindl-0-5-has-come-to-android/

Samsung, LG, Mediatek certificates compromised to sign Android malware

Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware.

The biggest problem here is the fact that, are signed with the same platform certificate and assigned the highly privileged 'android.uid.system' user id, these apps will also gain system-level access to the Android device. Which mean that they can check and do much more than standard apps.

more:

https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/

List of hashes: https://bugs.chromium.org/p/apvi/issues/detail?id=100

Apple Wallet Car Keys could now be shared with Google Pixel

Car Key introduced several years ago is yet not widely adopted by car manufactures (in some degree due to chip shortages in recent years) and was iPhone only feature for some time. Now these electronic keys could be shared with Google Pixel phone owners and other Android phones to follow soon.

Reference: You can now share your car key in Apple Wallet with Android users, starting with Google Pixel

Weekend good reads for Android developers, issue #40 (45/2022)

The weekend is coming so we have some reads for you:

SIMPLE IS NOT EASY

Unfortunately, most of the examples showing Clean Architecture and Hexagonal Architecture show that this is the model way. Abstraction on top of abstraction and next abstraction. But still, writing simple and easy to read code is not easy. It requires multiple iterations and effort. Read more in this article.

Mastering Android Dialogs: Don’t follow official Google Guides

This article explains why Google Guides for Dialogs are bad and what risks you and your apps may face if you follow them.

Performance Considerations for Memory Leaks: An Android Cookbook

Memory leaks can be found everywhere, in application code, dependencies, the Android operating system, and even in the JVM. It is difficult to come up with a complete list of the reasons why these problems occur, but showing a broad range can help us better characterize what they may be like. This great article gives you a better understanding of what memory leaks are.

Declarative UI — What, How, and Why?

This short but succinct post perfectly explains Declarative programming paradigm.

Library of the week:

https://github.com/touchlab/xcode-kotlin

The xcode-kotlin plugin allows debugging of Kotlin code running in an iOS application, directly from Xcode.

Have a nice Weekend!

Google Play services – update

Google has begun previewing the latest changes to Android as part of November’s Google Play System updates, including improvements for Wallet and parental controls. Google is also bringing its updated photo picker to nearly every Android device, including ones that are quite outdate (Kitkat).

Google has now announced that Android’s photo picker UI — the one that debuted with Android 13 is becoming available for almost all Android device. According to the patch notes, phones and tablets as far back as Android 4.4 KitKat, released in 2013, will be able to use Android 13’s photo picker. (Originally, Google had only said that devices on Android 11 and newer would get the new design.)

Google Pixel – Lock Screen Bypass

Have you ever had a situation that you suddenly forgot your password, which you typed automatically hundreds of times?

One researcher encountered this very problem when his phone had a battery life of 1%. After a while, the phone turned off, and after recharging, the researcher wanted to unlock the SIM card with a PIN … but something did not work: / So he looked for the PUK code, entered it and … the phone asked him to set a new PIN (for the SIM card).

This does not look like an obvious security issue, but the hacker tried to work out the cause of strange phone behavior. At one point, he performed such an operation:

  • His phone was unlocked
  • He blocked it
  • He pulled out the SIM card and inserted it again
  • He launched the procedure for changing the code to the SIM card (he used the PUK)
  • and suddenly boom - the phone is unlocked!

The researcher commented it like this:

My hands started to shake at this point. WHAT THE F**K? IT UNLOCKED ITSELF (…) full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.

The CVE-2022-20465 vulnerability was patched according to the November Android security bulletin. The patch was prepared for Android 10, 11, 12, 12L, 13.

Jetpack Compose: Material Design 3 is stable

At the Android Dev Summit, Google announced the latest improvements to Jetpack Compose including stable Material You (Material Design 3) components.

Material Design 3 components are a key feature in this release, but it also includes an assortment of other new or enhanced UI components, including lazy staggered grids, variable fonts, pull to refresh, snapping in lazy lists, draw text in canvas, URL annotations in text, hyphenation, and LookAheadLayout.

more:

https://developer.android.com/jetpack/androidx/releases/compose-material3