android

Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year

android, malware, samsung, Security, smartphones, spyware, Tech / Mike M. / November 8, 2025

Before the April 2025 patch, Samsung phones had a vulnerability in their image processing library. This is a zero-click attack because the user doesn’t need to launch anything. When the system processes the malicious image for display, it extracts shared object library files from the ZIP to run the Landfall spyware. The payload also modifies the device’s SELinux policy to give Landfall expanded permissions and access to data.

Landfall flowchart — How Landfall exploits Samsung phones. Credit: Unit 42

The infected files appear to have been delivered to targets via messaging apps like WhatsApp. Unit 42 notes that Landfall’s code references several specific Samsung phones, including the Galaxy S22, Galaxy S23, Galaxy S24, Galaxy Z Flip 4, and Galaxy Z Fold 4. Once active, Landfall reaches out to a remote server with basic device information. The operators can then extract a wealth of data, like user and hardware IDs, installed apps, contacts, any files stored on the device, and browsing history. It can also activate the camera and microphone to spy on the user.

Removing the spyware is no easy feat, either. Because of its ability to manipulate SELinux policies, it can burrow deeply into the system software. It also includes several tools that help evade detection. Based on the VirusTotal submissions, Unit 42 believes Landfall was active in 2024 and early 2025 in Iraq, Iran, Turkey, and Morocco. The vulnerability may have been present in Samsung’s software from Android 13 through Android 15, the company suggests.

Unit 42 says that several naming schemes and server responses share similarities with industrial spyware developed by big cyber-intelligence firms like NSO Group and Variston. However, they cannot directly tie Landfall to any particular group. While this attack was highly targeted, the details are now in the open, and other threat actors could now employ similar methods to access unpatched devices. Anyone with a supported Samsung phone should make certain they are on the April 2025 patch or later.

Commercial spyware “Landfall” ran rampant on Samsung phones for almost a year Read More »

The Android-powered Boox Palma 2 Pro fits in your pocket, but it’s not a phone

android, boox, e-readers, Google, Tech / Beth Washington / October 25, 2025

Softly talking about the Boox Palma 2 Pro

For years, color E Ink was seen as a desirable feature, which would make it easier to read magazines and comics on low-power devices—Boox even has an E Ink monitor. However, the quality of the displays has been lacking. These screens do show colors, but they’re not as vibrant as what you get on an LCD or OLED. In the case of the Palma 2 Pro, the screen is also less sharp in color mode. The touchscreen display is 824 × 1648 in monochrome, but turning on color cuts that in half to 412 × 824.

In addition to the new screen, the second-gen Palma adds a SIM card slot. It’s not for phone calls, though. The SIM slot allows the device to get 5G mobile data in addition to Wi-Fi.

The Palma 2 Pro runs Android 15 out of the box. That’s a solid showing for Boox, which often uses much older builds of Google’s mobile OS. Upgrades aren’t guaranteed, and there’s no official support for Google services. However, Boox has a workaround for its devices so the Play Store can be installed.

The new Boox pocket reader is available for pre-order now at $400. It’s expected to ship around November 14.

The Android-powered Boox Palma 2 Pro fits in your pocket, but it’s not a phone Read More »

Hackers can steal 2FA codes and private messages from Android phones

android, Biz & IT, Google, pixnapping, privacy, Security, side channel / 9u50fv / October 14, 2025

STEALING CODES ONE PIXEL AT A TIME

Malicious app required to make “Pixnapping” attack work requires no permissions.

Samsung’s S25 phones. Credit: Samsung

Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds.

The new attack, named Pixnapping by the team of academic researchers who devised it, requires a victim to first install a malicious app on an Android phone or tablet. The app, which requires no system permissions, can then effectively read data that any other installed app displays on the screen. Pixnapping has been demonstrated on Google Pixel phones and the Samsung Galaxy S25 phone and likely could be modified to work on other models with additional work. Google released mitigations last month, but the researchers said a modified version of the attack works even when the update is installed.

Like taking a screenshot

Pixnapping attacks begin with the malicious app invoking Android programming interfaces that cause the authenticator or other targeted apps to send sensitive information to the device screen. The malicious app then runs graphical operations on individual pixels of interest to the attacker. Pixnapping then exploits a side channel that allows the malicious app to map the pixels at those coordinates to letters, numbers, or shapes.

“Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping,” the researchers wrote on an informational website. “Chat messages, 2FA codes, email messages, etc. are all vulnerable since they are visible. If an app has secret information that is not visible (e.g., it has a secret key that is stored but never shown on the screen), that information cannot be stolen by Pixnapping.”

The new attack class is reminiscent of GPU.zip, a 2023 attack that allowed malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites. It worked by exploiting side channels found in GPUs from all major suppliers. The vulnerabilities that GPU.zip exploited have never been fixed. Instead, the attack was blocked in browsers by limiting their ability to open iframes, an HTML element that allows one website (in the case of GPU.zip, a malicious one) to embed the contents of a site from a different domain.

Pixnapping targets the same side channel as GPU.zip, specifically the precise amount of time it takes for a given frame to be rendered on the screen.

“This allows a malicious app to steal sensitive information displayed by other apps or arbitrary websites, pixel by pixel,” Alan Linghao Wang, lead author of the research paper “Pixnapping: Bringing Pixel Stealing out of the Stone Age,” explained in an interview. “Conceptually, it is as if the malicious app was taking a screenshot of screen contents it should not have access to. Our end-to-end attacks simply measure the rendering time per frame of the graphical operations… to determine whether the pixel was white or non-white.”

Pixnapping in three steps

The attack occurs in three main steps. In the first, the malicious app invokes Android APIs that make calls to the app the attacker wants to snoop on. These calls can also be used to effectively scan an infected device for installed apps of interest. The calls can further cause the targeted app to display specific data it has access to, such as a message thread in a messaging app or a 2FA code for a specific site. This call causes the information to be sent to the Android rendering pipeline, the system that takes each app’s pixels so they can be rendered on the screen. The Android-specific calls made include activities, intents, and tasks.

In the second step, Pixnapping performs graphical operations on individual pixels that the targeted app sent to the rendering pipeline. These operations choose the coordinates of target pixels the app wants to steal and begin to check if the color of those coordinates is white or non-white or, more generally, if the color is c or non-c (for an arbitrary color c).

“Suppose, for example, [the attacker] wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator,” Wang said. “This pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Then, conceptually, the attacker wants to cause some graphical operations whose rendering time is long if the target victim pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the victim app that was opened in Step 1.”

The third step measures the amount of time required at each coordinate. By combining the times for each one, the attack can rebuild the images sent to the rendering pipeline one pixel at a time.

As Ars reader hotball put it in the comments below:

Basically the attacker renders something transparent in front of the target app, then using a timing attack exploiting the GPU’s graphical data compression to try finding out the color of the pixels. It’s not something as simple as “give me the pixels of another app showing on the screen right now.” That’s why it takes time and can be too slow to fit within the 30 seconds window of the Google Authenticator app.

In an online interview, paper co-author Ricardo Paccagnella described the attack in more detail:

Step 1: The malicious app invokes a target app to cause some sensitive visual content to be rendered.

Step 2: The malicious app uses Android APIs to “draw over” that visual content and cause a side channel (in our case, GPU.zip) to leak as a function of the color of individual pixels rendered in Step 1 (e.g., activate only if the pixel color is c).

Step 3: The malicious app monitors the side effects of Step 2 to infer, e.g., if the color of those pixels was c or not, one pixel at a time.

Steps 2 and 3 can be implemented differently depending on the side channel that the attacker wants to exploit. In our instantiations on Google and Samsung phones, we exploited the GPU.zip side channel. When using GPU.zip, measuring the rendering time per frame was sufficient to determine if the color of each pixel is c or not. Future instantiations of the attack may use other side channels where controlling memory management and accessing fine-grained timers may be necessary (see Section 3.3 of the paper). Pixnapping would still work then: the attacker would just need to change how Steps 2 and 3 are implemented.

The amount of time required to perform the attack depends on several variables, including how many coordinates need to be measured. In some cases, there’s no hard deadline for obtaining the information the attacker wants to steal. In other cases—such as stealing a 2FA code—every second counts, since each one is valid for only 30 seconds. In the paper, the researchers explained:

To meet the strict 30-second deadline for the attack, we also reduce the number of samples per target pixel to 16 (compared to the 34 or 64 used in earlier attacks) and decrease the idle time between pixel leaks from 1.5 seconds to 70 milliseconds. To ensure that the attacker has the full 30 seconds to leak the 2FA code, our implementation waits for the beginning of a new 30-second global time interval, determined using the system clock.

… We use our end-to-end attack to leak 100 different 2FA codes from Google Authenticator on each of our Google Pixel phones. Our attack correctly recovers the full 6-digit 2FA code in 73%, 53%, 29%, and 53% of the trials on the Pixel 6, 7, 8, and 9, respectively. The average time to recover each 2FA code is 14.3, 25.8, 24.9, and 25.3 seconds for the Pixel 6, Pixel 7, Pixel 8, and Pixel 9, respectively. We are unable to leak 2FA codes within 30 seconds using our implementation on the Samsung Galaxy S25 device due to significant noise. We leave further investigation of how to tune our attack to work on this device to future work.

In an email, a Google representative wrote, “We issued a patch for CVE-2025-48561 in the September Android security bulletin, which partially mitigates this behavior. We are issuing an additional patch for this vulnerability in the December Android security bulletin. We have not seen any evidence of in-the-wild exploitation.”

Pixnapping is useful research in that it demonstrates the limitations of Google’s security and privacy assurances that one installed app can’t access data belonging to another app. The challenges in implementing the attack to steal useful data in real-world scenarios, however, are likely to be significant. In an age when teenagers can steal secrets from Fortune 500 companies simply by asking nicely, the utility of more complicated and limited attacks is probably of less value.

Post updated to add details about how the attack works.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

Hackers can steal 2FA codes and private messages from Android phones Read More »

Google will block sideloading of unverified Android apps starting next year

android, Apps, Google, play store, smartphones, Tech / Beth Washington / August 26, 2025

An early look at the streamlined Android Developer Console for sideloaded apps. Credit: Google

Google says that only apps with verified identities will be installable on certified Android devices, which is virtually every Android-based device—if it has Google services on it, it’s a certified device. If you have a non-Google build of Android on your phone, none of this applies. However, that’s a vanishingly small fraction of the Android ecosystem outside of China.

Google plans to begin testing this system with early access in October of this year. In March 2026, all developers will have access to the new console to get verified. In September 2026, Google plans to launch this feature in Brazil, Indonesia, Singapore, and Thailand. The next step is still hazy, but Google is targeting 2027 to expand the verification requirements globally.

A seismic shift

This plan comes at a major crossroads for Android. The ongoing Google Play antitrust case brought by Epic Games may finally force changes to Google Play in the coming months. Google lost its appeal of the verdict several weeks ago, and while it plans to appeal the case to the US Supreme Court, the company will have to begin altering its app distribution scheme, barring further legal maneuvering.

Among other things, the court has ordered that Google must distribute third-party app stores and allow Play Store content to be rehosted in other storefronts. Giving people more ways to get apps could increase choice, which is what Epic and other developers wanted. However, third-party sources won’t have the deep system integration of the Play Store, which means users will be sideloading these apps without Google’s layers of security.

It’s hard to say how much of a genuine security problem this is. On one hand, it makes sense Google would be concerned—most of the major malware threats to Android devices spread via third-party app repositories. However, enforcing an installation whitelist across almost all Android devices is heavy handed. This requires everyone making Android apps to satisfy Google’s requirements before virtually anyone will be able to install their apps, which could help Google retain control as the app market opens up. While the requirements may be minimal right now, there’s no guarantee they will stay that way.

The documentation currently available doesn’t explain what will happen if you try to install a non-verified app, nor how phones will check for verification status. Presumably, Google will distribute this whitelist in Play Services as the implementation date approaches. We’ve reached out for details on that front and will report if we hear anything.

Google will block sideloading of unverified Android apps starting next year Read More »

Murena’s Pixel Tablet is helping to wean me off Google

android, Google, Operating Systems, Reviews, Software, Tablets, Tech / 9u50fv / August 6, 2025

There were times when a side-by-side comparison found Google’s results to be more aligned with what I had in mind. However, I quickly appreciated Qwant’s lack of AI-generated responses, Google Maps listings, rows of advertisements, and other distractions ahead of actual results. For example, the top results for a search for “Brooklyn rooftop bars” with the Qwant-based engine were roundups from different blogs and publications. Google’s top results were a map, a few bars’ individual websites, posts from Reddit and Instagram, and only two curated lists (one from a news publication and another from Yelp).

The tablet is weaning me off of Google Search, but I’ll likely download Google Maps soon. Murena’s tablet comes with Magic Earth, the only non-open source app preloaded onto the device. However, without Street Views, speedier response, more detailed public transit information (like the names of stops you have to pass), and easier ways to find points of interest, like restaurants, Magic Earth is not sufficient for replacing Google’s alternative—despite Maps’ low privacy rating.

More privacy, please

Despite the inconveniences of a truly Google-free tablet, using Murena’s Pixel Tablet encouraged me to push for more online privacy. It’s proof that privacy-centric tablets and other gadgets are not only possible, but also worthwhile. With Big Tech often failing to protect users, gadgets that don’t spy on you deserve a bigger spotlight.

One of /e/OS’s best features is its privacy reports, which provide an overview of the apps tracking you.

An example of a privacy report. Credit: Scharon Harding/Murena

The tablet’s privacy menu also has a toggle for hiding your IP address, although Murena notes that you may want to think twice before sending emails, as “your address may end [up getting a] permanent ban from your provider.” Both features give users more control without introducing complexity and place a much greater emphasis on understanding online privacy than what you find among other tablets.

Murena’s Pixel Tablet, while not perfect, proves that a privacy-forward tablet doesn’t have to come with trade-offs. Devices like this make privacy a competitive advantage that other companies should emulate.

Murena’s Pixel Tablet is helping to wean me off Google Read More »

How Android phones became an earthquake warning system

accelerometers, android, Android Earthquake Alert, earthquakes, Google, Science, seismology, smart phones / Shannon Garcia / July 19, 2025

Of course, the trick is that you only send out the warning if there’s an actual earthquake, and not when a truck is passing by. Here, the sheer volume of Android phones sold plays a key role. As a first pass, AEA can simply ignore events that aren’t picked up by a lot of phones in the same area. But we also know a lot about the patterns of shaking that earthquakes produce. Different waves travel at different speeds, cause different types of ground motion, and may be produced at different intensities as the earthquake progresses.

So, the people behind AEA also include a model of earthquakes and seismic wave propagation, and check whether the pattern seen in phones’ accelerometers is consistent with that model. It only triggers an alert when there’s widespread phone activity that matches the pattern expected for an earthquake.

Raising awareness

In practical terms, AEA is distributed as part of the core Android software, and is set to on by default, so it is active in most Android phones. It starts monitoring when the phone has been stationary for a little while, checking for acceleration data that’s consistent with the P or S waves produced by earthquakes. If it gets a match, it forwards the information along with some rough location data (to preserve privacy) to Google servers. Software running on those servers then performs the positional analysis to see if the waves are widespread enough to have been triggered by an earthquake.

If so, it estimates the size and location, and uses that information to estimate the ground motion that will be experienced in different locations. Based on that, AEA sends out one of two alerts, either “be aware” or “take action.” The “be aware” alert is similar to a standard Android notification, but it plays a distinctive sound and is sent to users further from the epicenter. In contrast, the “take action” warning that’s sent to those nearby will display one of two messages in the appropriate language, either “Protect yourself” or “Drop, cover, and hold on.” It ignores any do-not-disturb settings, takes over the entire screen, and also plays a distinct noise.

How Android phones became an earthquake warning system Read More »

Nothing Phone 3 review: Nothing ventured, nothing gained

android, Features, Nothing, Reviews, smartphones, Tech / 9u50fv / July 18, 2025

The Nothing Phone 3 is the company’s best phone by a wide margin, but is that enough?

The Nothing Phone 3 has a distinctive design. Credit: Ryan Whitwam

The last few years have seen several smartphone makers pull back or totally abandon their mobile efforts. UK-based Nothing Technologies, however, is still trying to carve out a niche in the increasingly competitive smartphone market. Its tools have been quirky designs and glowing lights, along with a focus on markets outside the US. With the Nothing Phone 3, the company has brought its “first flagship” phone stateside.

Nothing didn’t swing for the fences with the Phone 3’s specs, but this device can hold its own with the likes of OnePlus and Google. Plus, it has that funky Nothing design aesthetic. There’s a transparent back, a tiny dot matrix screen, and a comprehensive Android skin. But at the end of the day, the Nothing Phone 3 is not treading new ground.

Designing Nothing

Despite Nothing’s talk about unique designs, the Nothing Phone 3 looks unremarkable from the front. The bezels are slim and symmetrical all the way around the screen. Under a sheet of Gorilla Glass 7i, it has a 6.67-inch 120Hz OLED screen with an impressive 1260 x 2800 resolution. It hits 4,500 nits of brightness, which is even higher than Google and Samsung phones. It’s more than bright enough to be readable outdoors, and the touch sensitivity is excellent—sometimes too excellent, as we’ve noticed a few accidental edge touches.

Specs at a glance: Nothing Phone 3
SoC	Snapdragon 8s Gen 4
Memory	12GB, 16GB
Storage	256GB, 512GB
Display	1260 x 2800 6.67″ OLED, 120 Hz
Cameras	50MP primary, f/1.7, OIS; 50MP ultrawide, f/2.2; 50MP 3x telephoto, f/2.7, OIS; 50MP selfie, f/2.2
Software	Android 15, 5 years of OS updates
Battery	5,150 mAh, 65 W wired charging, 15 W wireless charging
Connectivity	Wi-Fi 7, NFC, Bluetooth 6.0, sub-6 GHz 5G, USB-C 3.2
Measurements	160.6 x 75.6 x 9 mm; 218 g

Like many other phones, the Nothing Phone 3 has an optical fingerprint sensor under the display. It’s quick and accurate, but it’s a bit too low (barely a pinky finger’s width from the bottom of the device). As an optical sensor, it’s also very bright in a dark room. Similar phones from Google and Samsung have faster and less disruptive ultrasonic fingerprint sensors.

Nothing Phone 3 home screen — Nothing OS is a great Android skin. Credit: Ryan Whitwam

The overall shape of the phone is almost the same as current Samsung, Apple, and Google phones, but it’s closest to the Pixel 9 series. The IP68-rated body has the same minimalist aesthetic as those other phones, with flat edges and rounded corners. The aluminum frame curves in to merge seamlessly with the front and rear glass panels. It has a matte finish, making it reasonably grippy in the hand. Nothing includes a clear case in the box—we appreciate the effort, but the case feels very cheap and will probably discolor after a couple of months of use.

You won’t see anything extravagant like a headphone jack or IR blaster. The volume and power buttons are flat, tactile, and very stable, with no discernible wiggle. Below the power button is the Essential Key, a convex button that plugs into Nothing’s on-device AI features (more on that later). It’s a delight for button-lovers, but it can be too easy to accidentally press when picking up the phone. And no, you can’t remap the button to do something else.

Nothing Phone 3 side — The Essential Button has a nice feel, but it’s too easy to mistake for the power button. Credit: Ryan Whitwam

It’s not until you get to the back that the Nothing Phone 3 stands out. The back has a clear panel of extra-strong Gorilla Glass Victus, but you’re not seeing the phone’s internals through it. The panels under the glass have slightly different colors and textures and were chosen to create an interesting visual effect. It’s certainly eye-catching, but whether or not you like it is a matter of taste. The camera sensors are near the top in a staggered arrangement, right across from the “Glyph Matrix.”

The monochrome Glyph Matrix is Nothing’s replacement for the Glyph light bars on its older phones. A pressure-sensitive button under the glass can be pressed to switch between various display options, some of which might occasionally be useful, like a clock and battery monitor. There are also less useful “Glyph toys” like a Magic 8-ball, a low-fi mirror, and a Rock, Paper, Scissors simulator. It can also display call and status notifications, for instance letting you know when Do Not Disturb is activated or when you have a missed call. Or you can just turn the phone over and use the full display.

Nothing Phone 3 Glyph — The Glyph matrix is a gimmick, but it does look cool. Credit: Ryan Whitwam

There’s only so much you can do with 489 LEDs and a single button, which makes some of the toys frustrating. For example, you have to long-press to stop the stopwatch, which defeats the purpose, and the selfie mirror is very difficult to use for framing a photo. The Glyph dot matrix is fun to play around with, but it’s just a gimmick. Really, how much time do you spend looking at the back of your phone? Checking the time or playing Rock, Paper, Scissors is not a game-changer, even if the display is visually interesting.

Flagship-ish performance

Nothing says this is a flagship phone, but it doesn’t have Qualcomm’s flagship mobile processor. While you’ll find the Snapdragon 8 Elite in most high-end devices today, Nothing went with the slightly more modest Snapdragon 8s Gen 4. It doesn’t have the Oryon CPU cores, relying instead on eight Arm reference cores, along with a slower GPU.

Nothing Phone 3 and Pixel 9 Pro XL — The Nothing Phone 3 (left) is about the same size and shape as the Pixel 9 Pro XL (right). Credit: Ryan Whitwam

What does that mean for the speeds and feeds? The Nothing Phone 3 doesn’t keep up with high-end devices like the Galaxy S25 in benchmarks, but it’s no slouch, either. In fact, the Snapdragon 8s Gen 4 beats Google’s latest Tensor chip featured in the Pixel 9 series.

As expected, the standard Arm cores fall behind the custom Oryon CPUs in Geekbench, running about 40 percent behind Qualcomm’s best processor. However, the gulf is much narrower in graphics because the Adreno 825 in the Nothing Phone 3 is very similar to the 830 used in Snapdragon 8 Elite phones.

So you could see better gaming performance with a phone like the Galaxy S25 compared to the Nothing Phone 3, but only if you’re playing something very graphically intensive. Even when running these devices side by side, we have a hard time noticing any loss of fidelity on the Nothing Phone 3. It performs noticeably better in high-end games compared to the latest Pixels, though. The Phone 3 maintains performance fairly well under load, only losing 25 to 30 percent at peak temperature. The body of the phone does get uncomfortably hot, but that’s better than overheating the processor.

That modest drop in CPU performance benchmarks does not equate to a poor user experience. The Nothing Phone 3 is very snappy, opening apps quickly and handling rapid multitasking without hesitation. The animations also have a Google level of polish.

Nothing managed to fit a 5,150 mAh battery in this phone, which is a bit larger than even the Galaxy S25 Ultra at 5,000 mAh. The battery life is strong, with the phone easily making it all day—no range anxiety. It won’t last through a second day on a single charge, though. Just like a Pixel or Galaxy phone, you’ll want to plug the Nothing Phone 3 in every night.

But you don’t necessarily have to save your charging for nighttime. The Nothing Phone 3 offers 65 W wired charging, which is much faster than what you get from Google, Samsung, or Apple phones. If the battery gets low, just a few minutes connected to almost any USB-PD charger will get you enough juice to head out the door. You also get 15 W wireless charging, but it doesn’t support the magnetic Qi 2 standard.

We’ve had no problems using the Phone 3 on T-Mobile, and Nothing says AT&T is also fully supported. However, there’s no official support for Verizon. The phone has all the necessary sub-6GHz 5G bands, but you may have trouble activating it as a new device on Verizon’s network.

Upgraded cameras

A camera upgrade was a necessary part of making this device a “flagship” phone, so Nothing equipped the Phone 3 with a solid array of sensors, ensuring you’ll get some good shots. They won’t all be good, though.

Nothing Phone 3 back — The clear glass shows off subtly differing blocks and a button to control the Glyph Matrix display. Credit: Ryan Whitwam

The Nothing Phone 3 has a quartet of 50 MP sensors, including a wide-angle, a 3x telephoto, and an ultrawide on the back. The front-facing selfie camera is also 50 MP. While you can shoot in 50 MP mode, smartphone camera sensors are designed with pixel binning in mind. The phone outputs 12.5 MP images, leaning on merged pixel elements to brighten photos and speed up captures. We’ve found Nothing’s color balance and exposure to be very close to reality, and the dynamic range is good enough that you don’t have to worry about overly bright or dim backgrounds ruining a shot.

The Nothing Phone 3 cameras can produce sharp details, but some images tend to look overprocessed and “muddy.” However, the biggest issue is shutter lag—there’s too much of it. It seems like the phone is taking too long to stack and process images. So even outdoors and with a high shutter speed, a moving subject can look blurry. It’s challenging to snap a clear photo of a hyperactive kid or pet. In low-light settings, the shutter lag becomes worse, making it hard to take a sharp photo. Night mode shots are almost always a bit fuzzy.

Low indoor light. Ryan Whitwam

Photos of still subjects are generally good, and you can get some nice ones with the ultrawide camera. Landscapes look particularly nice, and the camera has autofocus for macro shots. This mode doesn’t activate automatically when you move in, so you have to remember it’s there. It’s worth remembering, though.

The telephoto sensor uses a periscope-style lens, which we usually see on sensors with 5x or higher zoom factors. This one is only 3x, so it will get you somewhat closer to your subject without cropping, but don’t expect the same quality you’d get from a Pixel or Samsung phone.

In its sub-flagship price range, we’d put the Nothing Phone 3 camera experience on par with Motorola. A device like the OnePlus 13R or Pixel 9a will take better pictures, but the Nothing Phone 3 is good enough unless mobile photography is at the top of your requirements.

Great software, plus an AI button

Nothing isn’t beating Samsung to the punch with Android 16—the first new phone to launch with Google’s latest OS will be the Z Fold 7 and Z Flip 7 later this month. Nothing is releasing its phone with Android 15 and Nothing OS 3.5, but an Android 16 update is promised soon. There’s not much in the first Android 16 release to get excited about, though, and in the meantime, Nothing OS is actually quite good.

Nothing’s take on Android makes changes to almost every UI element, which is usually a recipe for Samsung levels of clutter. However, Nothing remains true to its minimalist aesthetic throughout the experience. The icon styling is consistent and attractive, Nothing’s baked-in apps are cohesive, and the software includes some useful home screen options and widgets. Nothing also made a few good functional changes to Android, including a fully configurable quick settings panel and a faster way to clear your recent apps.

We’ve encountered a few minor bugs, like the weather widget that won’t show freedom units and a back gesture that can be a little finicky. Nothing’s Android skin is also very distinctive compared to other OEM themes. Not everyone will like the “dot matrix” vibe of Nothing OS, but it’s one of the more thoughtfully designed Android skins we’ve seen.

Nothing Phone 3 software — Nothing OS has a distinctive look. Credit: Ryan Whitwam

Like every other 2025 smartphone, there’s an AI angle here. Nothing has a tool called Essential Space that ties into the aforementioned Essential Key. When you press the button, it takes a screenshot you can add notes to. It logs that in Essential Space and turns an AI loose on it to glean important details. It can create to-do lists and reminders based on the images, but those suggestions are misses as often as they are hits. There’s also no search function like the Google Pixel Screenshots app, which seems like a mistake. You can hold the essential key to record a voice memo, which goes through a similar AI process.

There are also some privacy caveats with Essential Space. The screenshots you save are uploaded to a remote server for processing, but Nothing says it won’t store any of that data. Your voice notes are processed on-device, but it would be nice if images were as well.

Nothing has part of a good idea with its mobile AI implementation, but it’s not as engaging as what we’ve seen from Google. And it’s not as if Google’s use of AI is essential to the mobile experience. The Nothing Phone 3 also gets the standard Gemini integration, and Google’s chatbot will probably get much more use than Essential Space.

Nothing has promised five years of major Android version updates, and there will be two additional years of security patches after that. Nothing is still a very new company, though, and there’s no guarantee it will still be around in seven years. If we assume the best, this is a good update policy, surpassing Motorola and OnePlus but not quite at the level of Google or Samsung, both of which offer seven years of full update support.

Different but not that different

The Nothing Phone 3 is a good smartphone, and it’s probably the best piece of hardware the company has made in its short run. The performance is snappy, the software is thoughtfully designed, and the hardware, while gimmicky, is solid and visually interesting. If you prefer a more understated look or plan to encapsulate your phone in the most durable case you can find, this is not the phone for you.

Nothing’s Glyph Matrix is fun to play with, but it’s the kind of thing you’ll write off after some time with the phone. You can only play so many games of Rock, Paper, Scissors before the novelty wears off. Nothing is not alone in going down this path—Asus has a dot matrix on its ROG gaming phones, and Xiaomi has slapped full LCDs on the back of a few of its devices. It’s really no different from the days when OEMs tinkered with secondary ticker displays and rear-facing e-paper screens. Those weren’t very useful, either.

Nothing did all it could to make the secondary display attractive, but even if it came up with a truly great idea, there’s little utility in a screen on the back of your phone. The transparent design and dot matrix screen help the phone stand out from the crowd, but not because they’re doing anything radical. This is still a pretty typical glass sandwich smartphone, like most other 2025 offerings.

At $799, the Nothing Phone 3 is competing with devices like the Pixel 9 and OnePlus 13, both of which have it beat in the camera department, and the OnePlus phone is faster. Meanwhile, Google also has better update support. If you buy the Nothing Phone 3, it should be because you genuinely like the hardware and software design, and there’s very little bad to say about Nothing OS. Otherwise, there are better options for the same or less money.

The good

Excellent build quality with IP68 rating
Nothing OS looks and works great
Good performance
Glyph Matrix looks cool

The bad

Glyph Matrix is an unnecessary gimmick
AI features are still not very useful
Cameras have noticeable shutter lag
Verizon not officially supported

Ryan Whitwam is a senior technology reporter at Ars Technica, covering the ways Google, AI, and mobile technology continue to change the world. Over his 20-year career, he’s written for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has reviewed more phones than most people will ever own. You can follow him on Bluesky, where you will see photos of his dozens of mechanical keyboards.

Nothing Phone 3 review: Nothing ventured, nothing gained Read More »

Chrome OS is “combining” with Android, but what does that mean?

android, Chrome OS, chromebooks, Google, Tech / Mike M. / July 14, 2025

Android and Chrome OS have been developed in parallel for years, but Google is planning to streamline its operating systems. In a recent interview, Android Ecosystem President Sameer Samat stated bluntly that Android and Chrome OS are merging. This shift, a long time in the making, could give Google more room to maneuver as it plans for new mobile computing experiences.

In the interview, TechRadar’s Lance Ulanoff had other things on his mind, but Samat peppered him with questions about how he uses his Apple devices. “I asked because we’re going to be combining ChromeOS and Android into a single platform, and I am very interested in how people are using their laptops these days and what they’re getting done,” said Samat.

We don’t get back to this point in the remainder of the interview, but it’s probably the most interesting thing Samat said. “Combining” can mean many things, but we can certainly speculate. In this case, it might mean the writing is on the wall for Chrome OS as it currently exists.

Chrome OS definitely had a moment during the pandemic as new remote workers and students sought cheap laptops to get them by. Google worked with multiple OEM partners to promote major Chromebook releases, and Chrome OS itself got big updates. Google expanded the support window to eight years, added Phone Hub integration, enhanced desktop management, added the Chromebook Plus certification for high-end devices, and much more.

Things have stagnated since then—we hardly ever hear Google talk about Chrome OS now. In the age of AI, Google still finds time to talk about Android and add new features to the platform, even if they no longer align with new versions. In fact, Android is becoming a bit more like Chrome OS with the addition of desktop multitasking support, which will roll out in the coming months. So Google is making Android into a more capable desktop OS while Chrome OS stays the course. There have been some reports of Chrome OS essentially becoming Android, going beyond Google’s stated goal of using parts of the Android tech stack on Chromebooks.

Chrome OS is “combining” with Android, but what does that mean? Read More »

Unless users take action, Android will let Gemini access third-party apps

AI, android, Biz & IT, Gemini, Google, Security / Kelly Newman / July 8, 2025

Starting today, Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. Users who don’t want their previous settings to be overridden may have to take action.

An email Google sent recently informing users of the change linked to a notification page that said that “human reviewers (including service providers) read, annotate, and process” the data Gemini accesses. The email provides no useful guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours.

An email Google recently sent to Android users.

No, Google, it’s not good news

The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible. At one point, it says the changes “will automatically start rolling out” today and will give Gemini access to apps such as WhatsApp, Messages, and Phone “whether your Gemini apps activity is on or off.” A few sentences later, the email says, “If you have already turned these features off, they will remain off.” Nowhere in the email or the support pages it links to are Android users informed how to remove Gemini integrations completely.

Compounding the confusion, one of the linked support pages requires users to open a separate support page to learn how to control their Gemini app settings. Following the directions from a computer browser, I accessed the settings of my account’s Gemini app. I was reassured to see the text indicating no activity has been stored because I have Gemini turned off. Then again, the page also said that Gemini was “not saving activity beyond 72 hours.”

Unless users take action, Android will let Gemini access third-party apps Read More »

Samsung and Epic Games call a truce in app store lawsuit

android, epic games, gaming, Tech / 9u50fv / July 8, 2025

Epic Games, buoyed by the massive success of Fortnite, has spent the last few years throwing elbows in the mobile industry to get its app store on more phones. It scored an antitrust win against Google in late 2023, and the following year it went after Samsung for deploying “Auto Blocker” on its Android phones, which would make it harder for users to install the Epic Games Store. Now, the parties have settled the case just days before Samsung will unveil its latest phones.

The Epic Store drama began several years ago when the company defied Google and Apple rules about accepting outside payments in the mega-popular Fortnite. Both stores pulled the app, and Epic sued. Apple emerged victorious, with Fortnite only returning to the iPhone recently. Google, however, lost the case after Epic showed it worked behind the scenes to stymie the development of app stores like Epic’s.

Google is still working to avoid penalties in that long-running case, but Epic thought it smelled a conspiracy last year. It filed a similar lawsuit against Samsung, accusing it of implementing a feature to block third-party app stores. The issue comes down to the addition of a feature to Samsung phones called Auto Blocker, which is similar to Google’s new Advanced Protection in Android 16. It protects against attacks over USB, disables link previews, and scans apps more often for malicious activity. Most importantly, it blocks app sideloading. Without sideloading, there’s no way to install the Epic Games Store or any of the content inside it.

Samsung and Epic Games call a truce in app store lawsuit Read More »

The curious rise of giant tablets on wheels

android, Features, lg, Monitors, Reviews, tablet, Tech, TVs / DJ Henderson / July 5, 2025

Not quite a TV, not your average tablet

Hands-on with KTC’s 32-inch Android tablet on a rolling pedestal, the A32Q7 Pro.

KTC’s MegPad 32-inch Android Tablet (A32Q7 Pro). Credit: Scharon Harding

Over the past few years, LG has set off a strange tech trend that’s been rolling onto devices sold across Amazon and other online electronics retailers.

In 2022, the company launched the StanbyME, which is essentially a $1,000 27-inch tablet running LG’s smart TV operating system (OS), webOS, but lacking a tuner. LG’s press release announcing the device described it as a “wireless private TV screen with a built-in battery” that is easily portable and ideal for watching shows and movies, in addition to “video conferencing with family and coworkers and viewing online lectures.”

Today, the StanbyME competes against a slew of similar devices, including some from Samsung, but mostly from smaller brands and running Android.

I’ve had one of these devices, the KTC MegPad 32-inch Android Tablet (A32Q7 Pro), rolling around my home for a few weeks, and I’m left curious about what’s driving the growth of StanbyME-like devices, which are noticeably niche and expensive. I’m also uncertain whether these hybrid devices have an ongoing place in a consumer tech world already inundated with big-screen TVs, small-screen tablets, and beloved laptops.

Hands-on

Unlike LG’s StanbyME, KTC’s device doesn’t run a smart TV OS. Instead, it’s a 32-inch Android 13 tablet. Still, KTC heavily markets the MegPad’s ability to serve as streaming hardware, and that’s one of the best uses I found for it.

A big ol’ tablet on wheels. Scharon Harding

Treating the MegPad like a smart TV on wheels meant I could have a living-room-like experience in more places throughout my home. I could watch TV in bed with a more visible screen set at a more comfortable distance than what I’d achieve with a laptop or tablet. It also meant flexibility. I don’t like having a permanent TV in my room (how would I ever get out of bed?), so I appreciated the ability to roll the MegPad out of my room or twist it so that the screen faced away from me.

The MegPad is also a diplomatic solution for homes with limited TVs or computers. This could be helpful for homes with kids with varied interests or in my home, where a speedy, 55-inch TV in the living room is the best screen available by far. I was able to let my partner take the big screen for gaming and still hang out nearby while streaming on the MegPad. I don’t have a central coffee table in my living room, but the mobile tablet enabled me to watch shows without a device weighing down my lap or making me connect a wireless speaker for better volume.

KTC’s device also has a helpful leg-up over LG’s StanbyME via its HDMI port, which makes the MegPad work like a regular monitor. Determining where to safely rest a device tethered to this mobile machine is something you’ll have to figure out on your own, though.

KTC MegPad 32-inch Android Tablet (A32Q7 Pro) — The port selection on the panel’s backside. Credit: Scharon Harding

Compared to the TV mounted on my living room wall, the MegPad is much easier to move from room to room, but it’s easy to overestimate how seamless transporting it is. Yes, it’s on a set of five 360-degree wheels, but the wheels don’t lock, and the device weighs 40.3 pounds, per its Amazon listing. That means I had to exert a decent amount of effort to move it over floor transition strips, across uneven floors, and from hardwood to carpet.

A fully rotating screen, however, makes up for some of my mobility complaints and diversifies the MegPad’s potential uses. Besides streaming, for example, the MegPad was great for watching yoga videos online, (which calls for viewing the screen from different heights and positions). It also proved to be an ideal setup for creating a large, print-out collage, which included a lot of dragging, dropping, and cropping of images.

Not a real TV

You can do a lot with a sizeable Android tablet. But with TV and movie watching being some of the most obvious uses, it’s important to note that neither the MegPad nor any of its rollable rivals are real TVs.

For one, there’s no tuner, though in the streaming world, that matters less to many of today’s TV viewers.

Further, the MegPad, like many StanbyME-like devices, uses Android 13, which doesn’t require paying vendor licensing fees like built-for smart TV OSes, such as Android TV/Google TV and webOS, would. There are some benefits to that, though.

To start, Android 13 doesn’t have the integrated ads that Android TV or the Google TV interface does. Google claims that the Google TV platform doesn’t use automatic content recognition (ACR), but as Consumer Reports has noted, Google collects “data from TVs that use its smart TV platform—and there’s no opting out of Google’s policies during setup if you want smart TV functionality.” Further, Google may combine that data with user data from third parties for advertising purposes. A spokesperson for KTC confirmed to me that the MegPad doesn’t use ACR.

As a tablet, the MegPad is compatible with more apps, many of which aren’t supported by Google TVs, like Google Sheets, Microsoft Word, Reddit, and Signal.

Android tablets are also more appropriate for storing documents, photos, and other files than smart TVs are. Although it’s likely less roomy than your PC, the MegPad has 128GB of internal storage.

But since this is an Android tablet and not a Google TV, there are no integrated channels and no live-TV-only option, which stops the device from collecting diagnostic information. Google TV would also include a more streaming-friendly user interface and the ability to watch content from different streaming providers without switching apps.

Further differing from LG’s StanbyME and real TVs, the MegPad doesn’t include a traditional remote. The tablet comes with a basic Bluetooth mouse, but due to the tablet’s portability, I frequently used the tablet without a flat surface within arm’s reach available for comfortable mouse control. The touchscreen is reliable, but gestures can be cumbersome on a tablet this large, and the display was often out of my hand’s reach.

The new portable TV?

With TVs getting larger and people turning to portable gadgets like phones and laptops for TV watching, true portable TVs have become a rarity. Demand for a small device dedicated to on-the-go TV viewing has dropped significantly since the last century. Meanwhile, fabs and supply chains are built around monitor and TV-sized displays, making it difficult to incorporate some of the most desirable display technologies, like OLED, into smaller-sized panels with competitive prices.

As a result, devices like the MegPad and Amazon’s Echo Show have become the new de facto stand-ins for portable TVs, even though they’re not true TV sets. Even LG’s StanbyME Go, a 27-inch webOS-powered display packed into a briefcase, is a far cry from what most of us would traditionally consider a portable TV.

LG StanByMe Go at a picnic — LG’s StanbyMe GO. Credit: LG

Again, these tablets have more versatility than the small, telescoping-antenna-equipped boxes you used to stick on your kitchen counter or hand to a hyper kid during road trips. But they also require a reliance on Big Tech software and all the privacy and ethical implications that come with that.

You don’t see many of these anymore. From left to right: Casio EV 570, Sony Watchman, and Casio EV 660. Credit: Richard Derk/Los Angeles Times via Getty Images

KTC also sees the MegPad’s appeal as a pseudo-TV. The MegPad’s product page emphasizes users’ ability to “watch favorite shows/movies directly—no PC needed” and to “stream Netflix [and] YouTube… more effortlessly on your smart TV.” Its Amazon product page also promotes the keywords “portable TV,” “rolling TV,” “mobile TV,” and “standing TV.” This is all despite the MegPad not technically being a true TV.

“KTC defines the MegPad A32Q7Pro as a portable, smart, touchscreen monitor,” KTC’s spokesperson told me. “It combines key traits of a smart display and a large-screen tablet. While it shares some features with smart TVs, tablets, and monitors, it doesn’t fully belong to any single traditional category. It’s a hybrid device designed to bridge those use cases.”

Android tablets on wheels

Many devices like the MegPad represent a push for more Android-powered, non-Google devices that has been buoyed by a program that Google launched in 2022, the Enterprise Devices Licensing Agreement (EDLA).

As explained by partners like BenQ, EDLA is a way for third parties to incorporate Google Mobile Services (GMS), which are Google’s most commonly used apps and APIs bundled for use across different types of devices. GMS apps include popular software like Google Drive, Gmail, the Google Play Store, and YouTube.

“Previously, GMS was only officially available for smartphones, tablets, TVs, and wearables. Under the new EDLA, the list of devices eligible for GMS certification has now been expanded to include enterprise solutions such as smart boards,” a blog from BenQ, which has EDLA-certified smart displays, reads.

Since 2022, (the year LG’s StanbyME launched), there has been an uptick in non-Google devices with this EDLA certification. One of the categories taking advantage of the newer program is tablets on wheels, like the MegPad and similar options from Kefeya, Apolosign, Innocn, and DuraPro.

Demonstrating the marketing value of EDLA certification, the MegPad’s product page reads: “Google EDLA certification provides secure, direct access to Google services and the Google Play Store with regular updates, offering greater stability and data protection than open app ecosystems with unverified apps.”

Most EDLA-certified devices seem to be interactive displays used for education. With EDLA certification, devices like the MegPad may also draw the attention of educators or even businesses. Meanwhile, Google is happy to hand out EDLA certifications, as they can drive Android adoption, giving Google more data and access to customers outside of the typical Android devices, such as phones. Products like the MegPad can also be easier to shop with (Google loves when people use its offerings to shop) than Android devices with smaller screens.

Who’s this for?

I’ve been fascinated by the MegPad and similar devices because they introduce a unique approach to streaming, web browsing, and productivity. But ultimately, they’re hard to recommend when there are other personal gadgets that are more affordable and often take up less space.

I had fun with the MegPad and appreciated the flexibility it offered, especially in my smaller NYC home. There are some specific use cases where products like this could excel, like if you want to bring a computer or screen into a room that doesn’t always need one. It was also helpful as an entertainment center for my father post-surgery, when he primarily had to lie on one side in bed.

Overall, the growing presence of devices like the MegPad underscores a confluence occurring between smart TVs, tablets, monitors, and smart displays. With software being forced into more types of displays, often in the interest of gathering more user data, it’s an interesting time to consider what you want from your next screen—be it computing power, a certain size, the omission or inclusion of web connectivity, and mobility.

It appears that the MegPad and similar tablets are trying to take advantage of the attention that LG garners when launching distinctive devices like its StanbyME line. Besides a StanbyME lookalike, Apolosign also makes a device similar to the StanbyME Go.

Apolosign's 27 — Apolosign’s PackGo is very similar to LG’s StanbyME Go. Credit: Apolosign

Three years after LG made TV-esque devices on wheels a talking point, more brands are trying to roll into the market. That includes LG’s best TV frenemy, Samsung, which has been using the form factor in limited geographies to drive sales of “smart monitors.”

Tech brands have ulterior motives for pushing this newer form factor that go beyond filling a gap in consumer gadgets. But if a large tablet or small smart display with wheels fits your needs, the options are there, and they should meet most expectations.

Scharon is a Senior Technology Reporter at Ars Technica writing news, reviews, and analysis on consumer gadgets and services. She’s been reporting on technology for over 10 years, with bylines at Tom’s Hardware, Channelnomics, and CRN UK.

The curious rise of giant tablets on wheels Read More »

Provider of covert surveillance app spills passwords for 62,000 users

android, Apps, Biz & IT, privacy, Security, surveillance / Mike M. / July 4, 2025

The maker of a phone app that is advertised as providing a stealthy means for monitoring all activities on an Android device spilled email addresses, plain-text passwords, and other sensitive data belonging to 62,000 users, a researcher discovered recently.

A security flaw in the app, branded Catwatchful, allowed researcher Eric Daigle to download a trove of sensitive data, which belonged to account holders who used the covert app to monitor phones. The leak, made possible by a SQL injection vulnerability, allowed anyone who exploited it to access the accounts and all data stored in them.

Unstoppable

Catwatchful creators emphasize the app’s stealth and security. While the promoters claim the app is legal and intended for parents monitoring their children’s online activities, the emphasis on stealth has raised concerns that it’s being aimed at people with other agendas.

“Catwatchful is invisible,” a page promoting the app says. “It cannot be detected. It cannot be uninstalled. It cannot be stopped. It cannot be closed. Only you can access the information it collects.”

The promoters go on to say users “can monitor a phone without [owners] knowing with mobile phone monitoring software. The app is invisible and undetectable on the phone. It works in a hidden and stealth mode.”

Provider of covert surveillance app spills passwords for 62,000 users Read More »