Editor’s Pick

Enlarge (credit: Getty Images)

Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.

Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.

Clever tradecraft

Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.

Enlarge (credit: Getty Images | Juj Winn)

A pleasant female voice greets me over the phone. “Hi, I’m an assistant named Jasmine for Bodega,” the voice says. “How can I help?”

“Do you have patio seating,” I ask. Jasmine sounds a little sad as she tells me that unfortunately, the San Francisco–based Vietnamese restaurant doesn’t have outdoor seating. But her sadness isn’t the result of her having a bad day. Rather, her tone is a feature, a setting.

Jasmine is a member of a new, growing clan: the AI voice restaurant host. If you recently called up a restaurant in New York City, Miami, Atlanta, or San Francisco, chances are you have spoken to one of Jasmine’s polite, calculated competitors.  

Enlarge (credit: ChromaDev)

On Saturday, a YouTube creator called “ChromaLock” published a video detailing how he modified a Texas Instruments TI-84 graphing calculator to connect to the Internet and access OpenAI’s ChatGPT, potentially enabling students to cheat on tests. The video, titled “I Made The Ultimate Cheating Device,” demonstrates a custom hardware modification that allows users of the graphing calculator to type in problems sent to ChatGPT using the keypad and receive live responses on the screen.

ChromaLock began by exploring the calculator’s link port, typically used for transferring educational programs between devices. He then designed a custom circuit board he calls “TI-32” that incorporates a tiny Wi-Fi-enabled microcontroller, the Seed Studio ESP32-C3 (which costs about $5), along with other components to interface with the calculator’s systems.

It’s worth noting that the TI-32 hack isn’t a commercial project. Replicating ChromaLock’s work would involve purchasing a TI-84 calculator, a Seed Studio ESP32-C3 microcontroller, and various electronic components, and fabricating a custom PCB based on ChromaLock’s design, which is available online.

Enlarge (credit: Getty Images)

Certificate authorities and browser makers are planning to end the use of WHOIS data verifying domain ownership following a report that demonstrated how threat actors could abuse the process to obtain fraudulently issued TLS certificates.

TLS certificates are the cryptographic credentials that underpin HTTPS connections, a critical component of online communications verifying that a server belongs to a trusted entity and encrypts all traffic passing between it and an end user. These credentials are issued by any one of hundreds of CAs (certificate authorities) to domain owners. The rules for how certificates are issued and the process for verifying the rightful owner of a domain are left to the CA/Browser Forum. One “base requirement rule” allows CAs to send an email to an address listed in the WHOIS record for the domain being applied for. When the receiver clicks an enclosed link, the certificate is automatically approved.

Non-trivial dependencies

Researchers from security firm watchTowr recently demonstrated how threat actors could abuse the rule to obtain fraudulently issued certificates for domains they didn’t own. The security failure resulted from a lack of uniform rules for determining the validity of sites claiming to provide official WHOIS records.

Enlarge / Mark Robinson, lieutenant governor of North Carolina and candidate for governor, delivers remarks prior to Republican presidential nominee former President Donald Trump speaking at a campaign event at Harrah’s Cherokee Center on August 14, 2024, in Asheville, North Carolina. (credit: Grant Baldwin via Getty Images)

On Thursday, CNN broke news about inflammatory comments made by Mark Robinson, the Republican nominee for governor of North Carolina, on a pornography website’s message board over a decade ago. After the allegations emerged, Mark Robinson played on what we call “deep doubt” and denied the comments were his words, claiming they were manufactured by AI.

“Look, I’m not going to get into the minutia about how somebody manufactured these salacious tabloid lies, but I can tell you this: There’s been over one million dollars spent on me through AI by a billionaire’s son who’s bound and determined to destroy me,” Robinson told CNN reporter Andrew Kaczynski in a televised interview. “The things that people can do with the Internet now is incredible. But what I can tell you is this: Again, these are not my words. This is simply tabloid trash being used as a distraction from the substantive issues that the people of this state are facing.”

The CNN investigation found that Robinson, currently serving as North Carolina’s lieutenant governor, used the username “minisoldr” on a website called “Nude Africa” between 2008 and 2012. CNN identified Robinson as the user by matching biographical details, a shared email address, and profile photos. The comments included Robinson referring to himself as a “black NAZI!” and expressing support for reinstating slavery, among other controversial comments.

Enlarge / The Windows App runs on Windows, but also macOS, iOS/iPadOS, web browsers, and Android. (credit: Microsoft)

Microsoft announced today that it’s releasing a new app called Windows App as an app for Windows that allows users to run Windows and also Windows apps (it’s also coming to macOS, iOS, web browsers, and is in public preview for Android).

On most of those platforms, Windows App is a replacement for the Microsoft Remote Desktop app, which was used for connecting to a copy of Windows running on a remote computer or server—for some users and IT organizations, a relatively straightforward way to run Windows software on devices that aren’t running Windows or can’t run Windows natively.

The new name, though potentially confusing, attempts to sum up the app’s purpose: It’s a unified way to access your own Windows PCs with Remote Desktop access turned on, cloud-hosted Windows 365 and Microsoft Dev Box systems, and individual remotely hosted apps that have been provisioned by your work or school.

Enlarge (credit: Getty Images)

A coalition of law-enforcement agencies said it shut down a service that facilitated the unlocking of more than 1.2 million stolen or lost mobile phones so they could be used by someone other than their rightful owner.

The service was part of iServer, a phishing-as-a-service platform that has been operating since 2018. The Argentina-based iServer sold access to a platform that offered a host of phishing-related services through email, texts, and voice calls. One of the specialized services offered was designed to help people in possession of large numbers of stolen or lost mobile devices to obtain the credentials needed to bypass protections such as the lost mode for iPhones, which prevent a lost or stolen device from being used without entering its passcode.

Catering to low-skilled thieves

An international operation coordinated by Europol’s European Cybercrime Center said it arrested the Argentinian national that was behind iServer and identified more than 2,000 “unlockers” who had enrolled in the phishing platform over the years. Investigators ultimately found that the criminal network had been used to unlock more than 1.2 million mobile phones. Officials said they also identified 483,000 phone owners who had received messages phishing for credentials for their lost or stolen devices.

Enlarge / Cutting metal with lasers is hard, but even harder when you don’t know the worst-case timings of your code. (credit: Getty Images)

As is so often the case, a notable change in an upcoming Linux kernel is both historic and no big deal.

If you wanted to use “Real-Time Linux” for your audio gear, your industrial welding laser, or your Mars rover, you have had that option for a long time (presuming you didn’t want to use QNX or other alternatives). Universities started making their own real-time kernels in the late 1990s. A patch set, PREEMPT_RT, has existed since at least 2005. And some aspects of the real-time work, like NO_HZ, were long ago moved into the mainline kernel, enabling its use in data centers, cloud computing, or anything with a lot of CPUs.

But officialness still matters, and in the 6.12 kernel, PREEMPT_RT will likely be merged into the mainline. As noted by Steven Vaughan-Nichols at ZDNet, the final sign-off by Linus Torvalds occurred while he was attending Open Source Summit Europe. Torvalds wrote the original code for printk, a debugging tool that can pinpoint exact moments where a process crashes, but also introduces latency that runs counter to real-time computing. The Phoronix blog has tracked the progress of PREEMPT_RT into the kernel, along with the printk changes that allowed for threaded/atomic console support crucial to real-time mainlining.

Enlarge (credit: J Studios via Getty Images)

If you haven’t noticed by now, Big Tech companies have been making plans to invest in the infrastructure necessary to deliver generative AI products like ChatGPT (and beyond) to hundreds of millions of people around the world. That push involves building more AI-accelerating chips, more data centers, and even new nuclear plants to power those data centers, in some cases.

Along those lines, Microsoft, BlackRock, Global Infrastructure Partners (GIP), and MGX announced a massive new AI investment partnership on Tuesday called the Global AI Infrastructure Investment Partnership (GAIIP). The partnership initially aims to raise $30 billion in private equity capital, which could later turn into $100 billion in total investment when including debt financing.

The group will invest in data centers and supporting power infrastructure for AI development. “The capital spending needed for AI infrastructure and the new energy to power it goes beyond what any single company or government can finance,” Microsoft President Brad Smith said in a statement.

Enlarge (credit: gremlin via Getty Images)

For the past few years, a conspiracy theory called “Dead Internet theory” has picked up speed as large language models (LLMs) like ChatGPT increasingly generate text and even social media interactions found online. The theory says that most social Internet activity today is artificial and designed to manipulate humans for engagement.

On Monday, software developer Michael Sayman launched a new AI-populated social network app called SocialAI that feels like it’s bringing that conspiracy theory to life, allowing users to interact solely with AI chatbots instead of other humans. It’s available on the iPhone app store, but so far, it’s picking up pointed criticism.

After its creator announced SocialAI as “a private social network where you receive millions of AI-generated comments offering feedback, advice & reflections on each post you make,” computer security specialist Ian Coldwater quipped on X, “This sounds like actual hell.” Software developer and frequent AI pundit Colin Fraser expressed a similar sentiment: “I don’t mean this like in a mean way or as a dunk or whatever but this actually sounds like Hell. Like capital H Hell.”