An anonymous reader quotes a report from Ars Technica: It can be done. Android manufacturers can actually support a phone for a sizable amount of time. Fairphone has announced the end of life for the Fairphone 2, which will be March 2023. That phone was released in October 2015, so that's almost seven-and-a-half years of updates. Fairphone is a very small Dutch company with nowhere near as many resources as Google, Samsung, BBK, and the other Big-Tech juggernauts, yet it managed to outlast them with its support program. The whole goal of the company is sustainability, with easily repairable phones, available spare parts, and long update promises. The Fairphone 4 has a five-year hardware warranty and six years of updates, and the company's reputation says it can provide that. Sadly, the phones only ship in the UK and Europe. The Fairphone 2 only promised "three to five years" of updates, and it blew that out of the water.

The Fairphone 2 features the Qualcomm Snapdragon 801 SoC, a chip that Qualcomm ended support for with Android 6.0. In what is probably an Android ecosystem first, that lack of chipset support didn't stop Fairphone, which teamed up with LineageOS and today ships Android 10 on the 7-year-old device. That's not the newest OS in the world, but it passes all of Google's Android compatibility tests. I'm sure there are newer amateur releases in the Android ROM community, but Fairphone's Android 10 build is up to the standard of an official release, as opposed to the "tell me what doesn't work" standard of many amateur ROM releases. Fairphone doesn't say why support is ending in March, but if it's staying on Android 10, it was going to have to kill support sometime this year. Google only supports security patches for the last four versions of Android, so even Google will be shutting down Android 10 support soon.

Google is continuing on with its #GetTheMessage campaign attempting to convince Apple to adopt the RCS messaging protocol, this time taking out a large New Year's-themed ad at Harmon Corner in Las Vegas. From a report: The digital billboard urges Apple not to "drop the ball" on fixing its "pixelated photos and videos." Hey Apple, it's Android, the ball may have dropped on 2022, but you don't have to drop the ball on fixing your pixelated photos and videos. [...] After the short message, the billboard scrolls through RCS code, ending with a plea to customers to "Help Apple #GetTheMessage," the hashtag that Google has been using for the campaign.

Qualcomm has announced that its new processors and modems will allow phones to communicate with the Iridium satellite network, letting users send and receive messages even in areas without cell coverage. The Verge reports: The feature, called Snapdragon Satellite, will be available in phones that have both Qualcomm's Snapdragon 8 Gen 2 processor and its X70 Modem system, along with some additional radios. Phones that support it should be "launched in select regions starting in the second half of 2023," according to the company's press release, and there are several manufacturers working on designs, according to Francesco Grilli, a Qualcomm spokesperson who helped conduct a briefing for journalists. For now, the feature will likely only be available in flagship Android phones, as Qualcomm's only including the tech in its premium chips. Companies that want to add it to their phones will work directly with Qualcomm to figure out the software and hardware, but they shouldn't have to build new relationships with Iridium, according to Grilli. To the satellites, phones with the tech will look like any other Iridium-enabled devices. As for who will pay for the messages, "the cost of the satellite-based messaging service and dependent services will depend on OEMs and service providers and how they choose to offer the service," according to Grilli.

At first, Snapdragon Satellite will be limited to use in emergency situations, letting you contact someone for help even if you're in a remote area without cell service. According to Grilli, "Snapdragon Satellite leverages Garmin Response." When you send an SOS, "response coordinators immediately see the customer's Latitude/Longitude in their proprietary mapping and response coordination software to determine the appropriate agency to coordinate the rescue." Qualcomm says that, eventually, it'll support "premium messaging," which will likely cost extra and will have to be implemented by OEMs, cell carriers, or other over-the-top service providers. So far, this isn't something Apple offers; you can only send texts via satellite using its SOS feature.

While Qualcomm says the emergency service will be free or very cheap, it hasn't provided details yet on how much it'll cost you if you just want to be able to text your friends from remote areas, like a hiking trail, ski lift, or even a boat in the middle of the ocean. Once that service becomes available, however, Qualcomm says you'll be able to use it with your regular phone number. (That likely won't be the case for emergency use, but it matters less there.) [...] While details are sparse on what it'll be like to actually send and receive satellite messages, it sounds like the experience will be similar to Apple's in that you'll have to follow instructions on your phone to point it toward a satellite. According to Grilli, your phone will be able to predict where Iridium's satellites are months in advance thanks to the way its constellation orbits the Earth. When you go to connect to one, it'll use GPS and other measurements to determine where you need to be facing...

At CES this week, AMD announced a suite of new chips for notebooks and desktop computers, with one notable announcement being the company's new AMD Ryzen 7040 series of processors for ultrathin notebooks that will compete with Apple's M1 Pro and M2 chips. MacRumors reports: The AMD Ryzen 7040 series of chips are "ultrathin" processors based on the 4nm process, and the highest-end chip part of the family is the Ryzen 9 7940HS. The Ryzen 9 7940HS has eight cores, 16 threads, and 5.2GHz boost speeds. Announcing the new chip, AMD CEO Lisa Su made bold claims about its performance, saying it's up to 30% faster than Apple's M1 Pro chip. In specific tasks, AMD claims the chip is 34% faster in multiprocessing workloads than the M1 Pro and 20% faster than the M2 in AI tasks.

One cornerstone of Apple silicon is energy efficiency, and in that area, AMD claims the new AMD Ryzen 7040 series will offer 30+ hours of video playback in ultrathin notebooks. Built directly into the series of chips is Ryzen AI, a dedicated AI engine embedded in the processor. AMD chips configured with Ryzen AI are 20% faster in AI tasks than Apple's M2 chip while being 50% more energy efficient, according to the company.

To showcase the new chip's performance, AMD compared the performance of a high-end Intel chip, the M1 Pro, and its new Ryzen 9 7940HS processor rendering an object in the popular application Blender. In the time-lapsed video shown on stage, the M1 Pro lags behind the Ryzen 9 7940HS in rendering the object. AMD says it made its performance claims against a MacBook Pro with M1 Pro, 32GB of unified memory, and 1TB of SSD storage running macOS Monterey. The M1 Pro is not Apple's highest-end and most powerful chip for laptops, which is the M1 Max, and AMD did not compare its chip to the M1 Max. After roasting the M1 Pro, Ian Zelbo from FrontPageTech noticed AMD running their CES keynote on multiple 14-inch MacBook Pros. "Obviously these are contracted employees, and it means nothing," he tweeted. "I just always find stuff like this hilarious."

We do too... It's akin to the "Twitter for iPhone" line on tweets that have gotten Android promoters in hot water multiple times over the past several years.

NVIDIA has announced that it's bringing GeForce Now game streaming to cars using the company's Drive platform. Engadget reports: The rollout will offer access to titles like Cyberpunk 2077 on a driver display while you're charging or parked, or any time from the backseat. The cloud gaming option already has initial support from major brands like the Hyundai group (including Genesis and Kia), Polestar and China's BYD. NVIDIA didn't offer a timeframe for GeForce Now access, although it noted that BYD would offer Drive Hyperion-powered cars in the first half of 2023. The Polestar 3 SUV (built using Drive Orin) arrives in late 2023.

The in-car GeForce Now client works on either Android or web-based infotainment systems. NVIDIA's service provides a catalog of 1,500 games, over 1,000 of which are playable using gamepads. While most of the selection is paid, there are free-to-play options like Destiny 2 and Fortnite. As with other game streaming services, this could get costly if you plan to use it often. While basic GeForce Now use is free, you can pay up to $200 per year for the full experience before you factor in the cost of the games themselves. In some cases, though, this might make more sense than buying a handheld console or tablet. Further reading: Nvidia Unveils GeForce RTX 40 Series GPUs for Laptops

An anonymous reader quotes a report from Ars Technica: Google's keynote at the RISC-V Summit was all about bold proclamations [...]. Lars Bergstrom, Android's director of engineering, wants RISC-V to be seen as a "tier-1 platform" in Android, which would put it on par with Arm. That's a big change from just six months ago. Bergstrom says getting optimized Android builds on RISC-V will take "a lot of work" and outlined a roadmap that will take "a few years" to come to fruition, but AOSP started to land official RISC-V patches back in September. The build system is up and running, and anyone can grab the latest "riscv64" branch whenever they want -- and yes, in line with its recent Arm work, Google wants RISC-V on Android to be 64-bit only. For now, the most you can get is a command line, and Bergstrom's slide promised "initial emulator support by the start of 2023, with Android RunTime (ART) support for Java workloads following during Q1."

One of Bergstrom's slides featured the above "to-do" list, which included a ton of major Android components. Unlike Android's unpolished support for x86, Bergstrom promised a real push for quality with RISC-V, saying, "We need to do all of the work to move from a prototype and something that runs to something that's really singing -- that's showing off the best-in-class processors that [RISC-V International Chairman Krste Asanovic] was mentioning in the previous talk." Once Google does get Android up and running on RISC-V, then it will be up to manufacturers and the app ecosystem to back the platform. What's fun about the Android RunTime is that when ART supports RISC-V, a big chunk of the Android app ecosystem will come with it. Android apps ship as Java code, and the way that becomes an ARM app is when the Android Runtime compiles it into ARM code. Instead, it will soon compile into RISC-V code with no extra work from the developer. Native code that isn't written in Java, like games and component libraries, will need to be ported over, but starting with Java code is a big jump-start.

In her opening remarks, RISC-V International (the nonprofit company that owns the architecture) CEO Calista Redmond argued that "RISC-V is inevitable" thanks to the open business model and wave of open chip design that it can create, and it's getting hard to argue against that. While the show was mostly about the advantages of RISC-V, I want to add that the biggest reason RISC-V seems inevitable is that current CPU front-runner Arm has become an unstable, volatile company, and it feels like any viable alternative would have a good shot at success right now. [...] The other reason to kick Arm to the curb is the US-China trade war, specifically that Chinese companies (and the Chinese government) would really like to distance themselves from Western technology. [...] RISC-V is seen as a way to be less reliant on the West. While the project started at UC Berkeley, RISC-V International says the open source architecture is not subject to US export law. In 2019, the RISC-V Foundation actually moved from the US to Switzerland and became "RISC-V International," all to try to avoid picking a side in the US-China trade war. The result is that Chinese tech companies are rallying around RISC-V as the future chip architecture. One Chinese company hit by US export restrictions, the e-commerce giant Alibaba, has been the leading force in bringing RISC-V support to Android, and with Chinese companies playing a huge part in the Android ecosystem, it makes sense that Google would throw open the doors for official support. Now we just need someone to build a phone.

Google has told a tribunal in India that the country's antitrust investigators copied parts of a European ruling against the U.S. firm for abusing the market dominance of its Android operating system, arguing the decision be quashed, legal papers show. From a report: The Competition Commission of India (CCI) in October fined Alphabet's Google $161 million for exploiting its dominant position in markets such as online search and the Android app store, and asked it to change restrictions imposed on smartphone makers related to pre-installing apps.

In its filing to an Indian appeals tribunal, Google argues the CCI's investigation unit "copy-pasted extensively from a European Commission decision, deploying evidence from Europe that was not examined in India." "There are more than 50 instances of copypasting," in some cases "word-for-word," and the watchdog erroneously dismissed the issue, Google said in its filing which is not public but has been reviewed by Reuters. "The Commission failed to conduct an impartial, balanced, and legally sound investigation ... Google's mobile app distribution practices are pro-competitive and not unfair/ exclusionary."

The time has come: Dark Sky, the (mostly) beloved weather app for iOS is going to stop working on January 1st, according to in-app warnings. From a report: The sunsetting has been in the forecast for a while -- Apple announced it was planning on shutting down the service last year after acquiring it in 2020, and it removed Dark Sky from the App Store a few months ago, according to 9to5Mac. But if you've been putting off finding a new weather app, now's the time to finally get around to it. As for what alternatives iPhone users have available (the Android app was axed in 2020), perhaps the most obvious is Apple's own built-in Weather app. The company even has a support document titled "How Dark Sky users can use the Apple Weather app," which talks about how features from the former have been added to the later. Further reading: The World's Best Terrible Weather App.

Google has announced that it's adding a red "suspected spam caller" warning to Google Voice calls if it doesn't think they're legitimate. From a report: In a post on Thursday, the company says it's identifying spam "using the same advanced artificial intelligence" system as it does with its traditional phone app for Android. If the spam label appears, you'll also have the option of confirming that a call was spam -- in which case any future calls will be sent straight to your voicemail -- or clarifying that it wasn't, which will get rid of the label for future calls.

Google Voice has had the ability to automatically filter calls identified as spam to voicemail for years, and has also allowed you to screen calls before actually picking them up, but those options may not have been great if you're the type of person who gets a lot of important calls from unknown numbers. Google does say that you'll have to turn off the Filter Spam feature by going to Settings > Security > Filter spam if you want the automatic spam labeling.

An anonymous reader quotes a report from SecurityWeek: As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user's conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University of Dayton. EarSpy relies on the phone's ear speaker -- the speaker at the top of the device that is used when the phone is held to the ear -- and the device's built-in accelerometer for capturing the tiny vibrations generated by the speaker.

The researchers discovered that attacks such as EarSpy are becoming increasingly feasible due to the improvements made by smartphone manufacturers to ear speakers. They conducted tests on the OnePlus 7T and the OnePlus 9 smartphones -- both running Android -- and found that significantly more data can be captured by the accelerometer from the ear speaker due to the stereo speakers present in these newer models compared to the older model OnePlus phones, which did not have stereo speakers. The experiments conducted by the academic researchers analyzed the reverberation effect of ear speakers on the accelerometer by extracting time-frequency domain features and spectrograms. The analysis focused on gender recognition, speaker recognition, and speech recognition.

In the gender recognition test, whose goal is to determine whether the target is male or female, the EarSpy attack had a 98% accuracy. The accuracy was nearly as high, at 92%, for detecting the speaker's identity. When it comes to actual speech, the accuracy was up to 56% for capturing digits spoken in a phone call. "[This] accuracy still exhibits five times greater accuracy than a random guess, which implies that vibration due to the ear speaker induced a reasonable amount of distinguishable impact on accelerometer data," the researchers said.

An anonymous reader quotes a report from Android Headlines: In a recent voice assistant test conducted by popular YouTuber MKBHD, Google Assistant emerged as the best voice assistant, outperforming Apple's Siri, Samsung's Bixby, and Amazon's Alexa. There are several reasons why Google Assistant stands out as the top voice assistant. Firstly, it is backed by Google's powerful artificial intelligence, which helps it to understand and interpret user requests accurately. Secondly, Google Assistant has access to a vast amount of data from its users, which allows it to provide a more personalized experience. The company also collects data from various services such as search, maps, and email to improve the functionality and performance of Google Assistant. However, one of the biggest reasons behind Google Assistant's win is its strong conversation skills. Google's AI uses natural language processing (NLP) algorithms to understand the meaning and context of words and phrases, which helps to keep the conversation going.

Apple's Siri took second place in the competition. It performed well when asked to complete tasks like setting a timer and searching the internet, but struggled when asked to answer more complex or conversational questions. Additionally, Siri was unable to perform tasks that required interacting with apps. In contrast, Samsung's Bixby excelled in device control thanks to its integration with Samsung devices. This integration enables Bixby to control system settings and integrate more deeply with apps than any other voice assistant. Bixby can send text messages, check sports scores, turn down screen brightness, check your calendar, launch apps, and more.

Of all the digital assistants, Amazon's Alexa performed the worst in the voice assistant test. This is due to several factors. Firstly, Alexa is not integrated into smartphones, which means it lacks the personalized touch of other voice assistants. This can make it feel less intuitive and less convenient to use. Secondly, Alexa's inaccuracy in finding facts, inability to interact with other apps and poor conversational models all combine to create a subpar experience when used on a phone. These issues make it difficult for Alexa to provide useful and reliable information, which is a key expectation of voice assistants. In addition, the inclusion of Amazon advertisements between tasks can be annoying and disrupt the user experience.

An Android banking malware named 'Godfather' has been targeting users in 16 countries, attempting to steal account credentials for over 400 online banking sites and cryptocurrency exchanges. From a report: The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses. ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then. Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

Esper: The world's biggest tech companies have lost confidence in one of the Internet's behind-the-scenes gatekeepers. Microsoft, Mozilla, and Google are dropping TrustCor Systems as a root certificate authority in their products. Starting in Chrome version 111 for desktops, the browser will no longer trust certificates issued by TrustCor Systems. The same change is coming to Android, but unlike Chrome for desktops, Android's root certificate store can't be updated independently of the OS, meaning it'll take some time for the certificate changes to roll out. Thankfully, that may no longer be the case in Android 14, as Google is preparing to implement updatable root certificates in the next release.

Tumblr is adding support for livestreaming via the video platform Livebox. The Verge reports: Tumblr has supported streaming in the past, but it did so by letting people share streams from other services like YouNow and YouTube. The new option is described as a native Tumblr streaming service powered by Livebox. (Livebox is operated by the Meet Group, a subsidiary of the dating app company ParshipMeet Group.) Livebox allows users to tip streamers, and by the same token, Tumblr will let you pay creators in a virtual currency called "Diamonds." Livebox provides AI- and human-powered moderation for streams, according to a press release; the service also lets streamers designate trusted viewers as moderators. The streaming service is so far only supported for people's primary Tumblr blog, not any side blogs under the same account.

The feature is being rolled out to US users on iOS and Android now, and a release for global users and the desktop site is planned for the future. More details are outlined in a blog post, which dubs the service Tumblr Live.

A little-known phone monitoring app called Xnspy has stolen data from tens of thousands of iPhones and Android devices, the majority whose owners are unaware that their data has been compromised. From a report: Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child's activities, but are explicitly marketed for spying on a spouse or domestic partner's devices without their permission. Its website boasts, "to catch a cheating spouse, you need Xnspy on your side," and, "Xnspy makes reporting and data extraction simple for you."

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person's phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect. Once installed, these apps will silently and continually upload the contents of a person's phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim's data. But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims' phones. Xnspy is no different.

Recently the EU voted to require tech companies like Apple to standardize on USB-C charging ports.

A CNN opinion piece calls this "a hallelujah moment for iPhone owners everywhere." iPhone cords are a very big business: There are reportedly about 1.2 billion active iPhones out in the wild. And if their charging cables need to be replaced once or twice a year as many users attest, at roughly $20 a pop, well, you could just about buy a Twitter a year for that sum.... While the new edict only directly applies to devices sold in the EU, India looks set to follow in Europe's footsteps....

[T]he move is almost certain to serve as the push that gets Apple to finally abandon its bespoke-battery-booster approach for future versions of the world's most popular smartphone. Even Greg Joswiak, the company's global head of marketing, admitted that the EU standardization push means the lifespan of Apple Lightning charging cables is likely finally over. And right on time, given that ten years ago Apple called it the "cable standard for the next decade...." It might even dilute some of the tribal tension between iPhone and Android users, assuming the latter don't lord over us the fact that most of them have already been charging with C for half a decade. (We still have our blue message bubbles, greenies!)

And it might generally reduce the temptation among tech companies, chief among them Apple, to "innovate" by introducing proprietary parts that regularly force an entire domino cascade of costly upgrades. (The fact that every new iPhone seems to be a random millimeter different in size and shape in each direction already means that brand new cases, cradles and screen protectors have to be repurchased along with new handsets, all for the privilege of a few hundred pixels of fresh real estate.) While that process may offer a welcome cash stimulus to the peripherals and accessories industry, it contributes to the massive environmental burden caused by e-waste, estimated at about 60 million tons a year — an amount heavier than the world's heaviest man-made object, the Great Wall of China.

schwit1 shares a report from Popular Science: [T]wo women filed a potential class action lawsuit against Apple, alleging the company has ignored critics' and security experts' repeated warnings that the company's AirTag devices are being repeatedly used to stalk and harass people. Both individuals were targets of past abuse from ex-partners and argued in the filing that Apple's subsequent safeguard solutions remain wholly inadequate for consumers. "With a price point of just $29, it has become the weapon of choice of stalkers and abusers," reads a portion of the lawsuit, as The New York Times reported [...].

Apple first debuted AirTags in April 2021. Within the ensuing eight months, at least 150 police reports from just eight precincts reviewed by Motherboard explicitly mentioned abusers utilizing the tracking devices to stalk and harass women. In the new lawsuit, plaintiffs allege that one woman's abuser hid the location devices within her car's wheel well. At the same time, the other woman's abuser placed one in their child's backpack following a contentious divorce, according to the suit. Security experts have since cautioned that hundreds more similar situations likely remain unreported or even undetected.

The lawsuit (PDF), published by Ars Technica, cites them as "one of the products that has revolutionized the scope, breadth, and ease of location-based stalking," arguing that "what separates the AirTag from any competitor product is its unparalleled accuracy, ease of use (it fits seamlessly into Apple's existing suite of products), and affordability." The proposed class action lawsuit seeks unspecified damages for owners of iOS or Android devices which have been tracked with an AirTag or are at risk of being stalked. Since AirTags' introduction last year, at least two murders have occurred directly involving using Apple's surveillance gadget, according to the lawsuit.

An anonymous reader quotes a report from Ars Technica: Following Google's beta rollout of the feature in October, passkeys are now hitting Chrome stable M108. "Passkey" is built on industry standards and backed by all the big platform vendors -- Google, Apple, Microsoft -- along with the FIDO Alliance. Google's latest blog says: "With the latest version of Chrome, we're enabling passkeys on Windows 11, macOS, and Android." The Google Password Manager on Android is ready to sync all your passkeys to the cloud, and if you can meet all the hardware requirements and find a supporting service, you can now sign-in to something with a passkey. [...]

Now that this is actually up and running on Chrome 108 and a supported OS, you should be able to see the passkey screen under the "autofill" section of the Chrome settings (or try pasting chrome://settings/passkeys into the address bar). Next up we'll need more websites and services to actually support using a passkey instead of a password to sign in. Google Account support would be a good first step -- right now you can use a passkey for two-factor authentication with Google, but you can't replace your password yet. Everyone's go-to example of passkeys is the passkeys.io demo site, which we have a walkthrough of here.

Contestants hacked the Samsung Galaxy S22 again during the second day of the consumer-focused Pwn2Own 2022 competition in Toronto, Canada. They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital. BleepingComputer reports: Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday. They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22. In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed. The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.