Security News
On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones. The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google CEO Sundar Pichai asking him "To take action against exploitative pre-installed software on Android devices."
On Wednesday, more than 50 advocacy groups accused Google of exploiting poor people by failing to police misbehaving Android apps on cheap phones. The advocacy groups, including the American Civil Liberties Union, Amnesty International, the Electronic Frontier Foundation, and Privacy International, to name a few, published an open letter to Google CEO Sundar Pichai asking him "To take action against exploitative pre-installed software on Android devices."
Google's controversial voice Assistant is getting a series of new commands designed to work like privacy-centric 'undo' buttons. Google hopes its new commands will counter that impression by offering offers some control over what Assistant pays attention to.
Google's Project Zero bug-hunting team has tweaked its 90-day responsible disclosure policy to help improve the quality and adoption of vendor patches. The vendor then has 90 days to fix the bug before Project Zero lifts the veil.
The more notable part of the announcement is Project Zero's decision to wait to disclose bug details until 90 days elapses, even if a patch becomes available before then. "For the last five years, the team has used its vulnerability disclosure policy to focus on one primary goal: Faster patch development," explained Willis, in a posting on Tuesday on the policy changes.
Google's Project Zero has updated its vulnerability disclosure policy to keep bug reports closed for 90 days, regardless of whether a patch is out before the deadline or not. The goal of this new policy, Google Project Zero's Tim Willis notes, goes beyond just attempting to speed up patching: thorough patch development and improved patch adoption are also a focus.
Google has pulled three malicious apps from Google Play, one of which exploits a recently patched kernel privilege escalation bug in Android to install the app aimed at spying on users. The Camero app would download a DEX file from a C&C, which would then download the callCam APK file and use the CVE-2019-2215 exploit to root the device, install the app and launch it without any user interaction or the user's knowledge.
Google kicked off its first Android Security Bulletin of 2020 patching a critical flaw in its Android operating system, which if exploited could allow a remote attacker to execute code. Google said its' critical vulnerability exists in Android's Media framework, which includes support for playing a variety of common media types, so that users can easily utilize audio, video and images.
Patting itself on its back for motivating software makers to fix 97.7 per cent of the vulnerabilities it identifies within its 90-day disclosure deadline, Google's bug-hunting unit Project Zero has decided to ease up on those racing to patch their flawed products. As a result of the amended policy, vulnerability details will remain undisclosed for a longer period of time, giving developers enough time to fix their code, and netizens to test and install the patches, before Googlers make technical details and proof-of-concept exploits public for all to see.
Google has temporarily disconnected Xiaomi's IP cameras from its Home Hub service after a user reported that he was seeing images from other people's devices. Reddit user u/Dio-V found that Xiaomi's Mijia 1080p IP camera was sending still images from other peoples' homes when he accessed it via his Google Home Hub.