New Android ‘Fake ID’ flaw empowers stealthy new class of super-malware

AppleInsider reported on a new Android flaw that allows malware to gain extensive control over a user’s device.

This is particularly serious because Google has granted a variety of trusted apps in Android broad permissions; by pretending to be one of these trusted apps, malware can can fool users into thinking that they are installing an app that doesn’t need any special permissions, then trick the system into giving it essentially full control of the device, with access to the user’s financial data, contacts and other private information, even data stored in the cloud.

Here are some possible apps for malwares to spoof.

Adobe Flash:

While Google eventually gave up on Flash for Android, an Adobe Flash plugin privilege escalation flaw remained embedded in Android’s webview—the browser component that gets embedded into third party apps that present web content—until the release of Android 4.4 KitKat last fall.

With Flash so deeply integrated into Android’s webview component, any malware using Fake ID to pretend to be Flash can subsequently escape Android’s app sandbox and take control of other apps, including Salesforce and Microsoft OneDrive, grab data from those apps, sniff out all those apps’ network traffic and gain any additional privileges held by those apps.

The solution is simple: upgrade to Android 4.4 KitKat. However, not every Android user can upgrade even if they want to.


Using Fake ID, a malware app that asks the user for no special permissions at installation can subsequently pretend to be the Google Wallet app; Android will then provide the rogue app with all the permissions it gave its own NFC infrastructure, which includes users’ financial data.

Because Wallet, 3LM and other apps do not depend on the Flash / Android webview flaw, these other vectors of attack weren’t fixed in KitKat. That means Fake ID affects all versions of Android, including the latest Android 4.4.4 and the upcoming “Android L” (aka Android 5.0 beta).

This happens because Android apps are signed but not verified, unlike iOS apps.

However, Bluebox discovered that “the Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer).

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate.

“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.”

It is hard for you to know if you have been infected.

On the other hand, Fake ID requires no user involvement, and can be used by malware posing as an innocent app or game that requests no special permissions. Once installed, the app can take over without the user having any knowledge of being infected.

This underlines the shocking state of Android security.

“The Android malware ecosystem is beginning to resemble to that which surrounds Windows,” the firm observed. By September, Duo Security stated that “more than half of Android devices are vulnerable to at least one of the known Android security flaws.”

Facebook to disable messaging in main iOS app

9to5Mac reported that Facebook will be disabling messaging in its main iOS app this week. Users will have to download its Messenger app.

This might be a good thing for those of us who are trying to spend less time on Facebook. Personally, I tend to get distracted by Facebook when I have to go into Facebook to reply messages. I have cut down distraction a lot ever since I started using the standalone Facebook Messenger app.

It will be interesting to see what Facebook plans to do with a two messaging apps in Messenger and Whatsapp.

Life inside Comcast

The Verge spoke to more than 100 Comcast employees.

One common theme was the importance of retaining customers.

We locked down the ability for most customer service reps to disconnect accounts. We queue the calls for customers looking to disconnect to a retention team who are authorized to give more deeply discounted products to keep subscribers.

Upgrade the customer where possible.

The pay was great and everything else about the job was a nightmare. I remember when a 90-year-old woman called to add phone to her account and my boss told me afterwards, “She was probably senile… but you should have upgraded her cable. I don’t think you are going to be sitting in this seat for very long.”

Sales is more important than customer service.

I would be frustrated because I would tell them we need customer service training as much as sales training, but it came from Philly [Comcast’s headquarters] so that’s what we had to deal with. [Managers] would listen to the call, even have secret shoppers call in. If we didn’t ask [customers] to get more products we would be spoken to. Eventually, selling became part of tech support and billing.

Another Amazon Fire Phone review

The New York Times reviewed the Amazon Fire Phone.

At its best, Dynamic Perspective adds helpful gestures that allow you to get around the phone more quickly. Snap the phone to the right while you’re in the calendar app, you see your daily agenda; snap left and the agenda disappears. But these shortcuts are never reliable; a lot of times you’ll snap and nothing will happen, because the app you’re in isn’t coded for gestures.

Other instances of Dynamic Perspective are downright annoying. Take Auto Scroll, which moves the text on your screen as you tilt the phone back and forth. Because Auto Scroll calibrates its scrolling speed according to how you’re holding the device when you first load up an article, your brain will struggle to find a set rule about how much to tilt to get the right speed. Often I’d scroll too fast or too slow.

Worse, if you put your phone down on a table while you’re in the middle of an article, the scrolling goes haywire and you lose your place. The best thing about Auto Scroll is that you can turn it off.

When you introduce a gimmick instead of making sure the feature simply works.

BlackBerry and Dell not worried about Apple-IBM partnership

iPhone in Canada reported on BlackBerry and Dell’s responses to the Apple-IBM partnership.

BlackBerry CEO John Chen:

I am not afraid of competing when I know I am more nimble. I never think [that] going alone is the right strategy. But we have a value add that no one else can do.

John Swainson, head of Dell’s global software business:

I do not think that we take the Apple-IBM tie-up terribly seriously. I think it just made a good press release.

I have some trouble understanding how IBM reps are going to really help Apple very much in terms of introducing devices into their accounts. I mean candidly, they weren’t very good at doing it when it was IBM-logoed products, so I do not get how introducing Apple-logoed stuff is going to be much better.

This reminds me of the famous quote by Steve Ballmer:

There’s no chance that the iPhone is going to get any significant market share. No chance. It’s a $500 subsidized item.

Microsoft missed the mobile market under Ballmer’s watch as CEO. BlackBerry and Dell are struggling in the mobile and PC markets respectively. To be unconcerned by the Apple-IBM push in enterprise won’t bode well for them.

eBay sold $2 billion worth of Apple devices in the past year

Computerworld reported on the resales of older Apple devices on eBay.

Like one of an infinite number of multiverses, eBay’s traffic in primarily old-but-still-sellable Apple goods mirrored, more or less, Apple’s product line breakdown. The iPhone dominated on the online auction site, accounting for 55% the $1.94 billion in sales of Apple goods. Meanwhile, Mac products accounted for 20% of Apple sales on eBay and iPad sales represented 19% of the total.

Google’s number game

John Bell wrote on Medium about Google’s numbers.

Which brings me to Chromecast. All Google will say is they’ve sold “millions” of the $35, (presumably) break-even device. But recently they announced 400 million “sessions”. Sounds impressive! A recent headline states “Chromecast turns one: why this small streaming stick became such a big deal” and the subheads are “So cheap, and so different”, “400 million cast sessions”, “Competitors are getting the streaming stick fever”, and “Why Chromecast continues to be disruptive”.

So kudos to Google for an enormous number, and for getting great press from it. But, wait. We’re actually going to record “uses” of products now? Well, sure. Because it makes the number look bigger. Why wouldn’t Google report a number that makes you shrug and think “Google seems to be doing well” before reading the next article? Or buying into what’s clearly a successful device with a successful, stable, supported ecosystem?

Bell then dived into the numbers.

400,000,000 uses per year, if every user uses it seven days a week on average, means 1,095,890 customers globally. Whereas if each user is using it four times a week, that’s 208 uses per year. That would point to 1,923,077 customers.

Since Google has said they’ve sold “millions”, 1.9 is a bit low. So let’s adjust usage down a little bit to get past 2 million. That gives us a guess of 2,564,103 Chromecast users using the device 3 times a week.

Imagine if Apple reported the number of times the AppleTV is used.

In April, Apple said it has sold 20 million Apple TVs total, and the current numbers seem to point to 8-10 million a year. If we assume their engagement is similar to those of Chromecast users (3 times a week), that works out to between 1,248,000,000 and 1,560,000,000 “uses” of the product in the same time period.

At the lower end, that’s 1.2 billion sessions versus Chromecast’s 400 million session.

Mobile leverage

Benedict Evans on mobile leverage.


First, they are not shared and they are personal. Of those 1.6-1.7 bn PCs, a little over half are consumer devices, and a large proportion of those are shared. The others are owned by companies, and at the very least they’re restricted in what you can do with them for personal uses, and many of them are actually single-purpose devices. So it’s helpful to think about somehow discounting that PC base to reflect actually personal personal computers – by half, or more. Just as there’s a ‘full-time equivalent’, what’s the ‘personal computer equivalent’? It’s not 1.6bn – it’s probably more like half that.


Finally, the step change in ease of use provided by the new generation of operating systems changes what it means for someone to have such a device. A very large proportion of PC users would describe themselves as ‘not computer literate’, or at best getting by following ‘recipes’ within a narrow set of tasks, but far fewer say they’re not phone literate or even smartphone literate (though a curve obviously remains). The usability of this new class of devices of itself multiplies the reach of the internet.

These are very good points on how different the PC and mobile markets are.

App store revenue

Benedict Evans wrote about app Store revenues.

  • Google said it paid out $5bn to developers from Google IO in 2013 to Google IO in 2014 (a little over 13 months)
  • Apple said it has paid out $20bn to developers in total by the end of the June 2014 quarter, and at WWDC June 2013 it gave a figure of $10bn paid to developers (at the June 2013 earnings call a month later it then said it had paid out $11bn). So in the last 12 months, it paid out roughly $10bn.

No surprise which platform app developers would want to go for.

Amazon Fire Phone review

The Verge reviewed the Amazon Fire Phone.

Dynamic Perspective is meant to keep the screen simple, showing you only information when you ask for it, but it mostly just hides useful information. Exposing that information then requires such finesse that for a long time you’ll be seeing things rapidly flicker in and out of existence, not knowing how to make them stick around or find them again. Dynamic Perspective makes for awesomely fun lock screens with much more to them than first meets the eye, but it does nothing to meaningfully improve the smartphone experience.

A clever phone:

You’re entirely reliant on gestures and flicks of the phone to access these menus. Most apps have no indicators or helpful icons; you just have to open every app and twist the phone around like a lunatic to find things. You can’t even see the time without tilting your phone just so. An errant buzz is your only indication that you have a notification, prompting you to cock your wrist or swipe down from the top bezel to open the notification windowshade. None of this is explained, none of it is intuitive. Dynamic Perspective makes everything look cleaner, but makes actually using your phone a lot harder. I don’t need my phone to be clever, or spartan. I need it to be obvious. The Fire Phone is anything but.