There’s a prominent “AI generated weather report” on top of the weather stack, which is a combination of summary and familiarity. “Cold and rainy day, bring your umbrella and hold onto your hat!” is Google’s example; I can’t provide another one, because an update to “Gemini Nano” is pending.
Credit: Kevin Purdy
You can see weather radar for your location, along with forecasted precipitation movement. The app offers “Nowcasting” precipitation guesses, like “Rain continuing for 2 hours” or “Light rain in 10 minutes.”
Credit: Kevin Purdy
The best feature, one seen on the version of Weather that shipped to the Pixel Tablet and Fold, is that you can rearrange the order of data shown on your weather screen. I moved the UV index, humidity, sunrise/sunset, and wind conditions as high as they could go on my setup. It’s a trade-off, because the Weather app’s data widgets are so big as to require scrolling to get the full picture of a day, and you can’t move the AI summary or 10-day forecast off the top. But if you only need a few numbers and like a verbal summary, it’s handy.
Sadly, if you’re an allergy sufferer and you’re not in the UK, Germany, France, or Italy, Google can’t offer you any pollen data or forecasts. There is also, I am sad to say, no frog.
Google’s Weather app isn’t faring so well with Play Store reviewers. Users are miffed that they can’t see a location’s weather without adding it to their saved locations list; that other Google apps, including the “At a Glance” app on every Pixel’s default launcher, send you to the Google app’s summary instead of this app; the look of the weather map; and, most of all, that it does not show up in some phones’ app list, but only as a widget.
Much of the new obfuscation is the result of hiding malicious code in a dynamically decrypted and loaded .dex file of the apps. As a result, Zimperium initially believed the malicious apps they were analyzing were part of a previously unknown malware family. Then the researchers dumped the .dex file from an infected device’s memory and performed static analysis on it.
“As we delved deeper, a pattern emerged,” Ortega wrote. “The services, receivers, and activities closely resembled those from an older malware variant with the package name com.secure.assistant.” That package allowed the researchers to link it to the FakeCall Trojan.
Many of the new features don’t appear to be fully implemented yet. Besides the obfuscation, other new capabilities include:
Bluetooth Receiver
This receiver functions primarily as a listener, monitoring Bluetooth status and changes. Notably, there is no immediate evidence of malicious behavior in the source code, raising questions about whether it serves as a placeholder for future functionality.
Screen Receiver
Similar to the Bluetooth receiver, this component only monitors the screen’s state (on/off) without revealing any malicious activity in the source code.
Accessibility Service
The malware incorporates a new service inherited from the Android Accessibility Service, granting it significant control over the user interface and the ability to capture information displayed on the screen. The decompiled code shows methods such as onAccessibilityEvent() and onCreate() implemented in native code, obscuring their specific malicious intent.
While the provided code snippet focuses on the service’s lifecycle methods implemented in native code, earlier versions of the malware give us clues about possible functionality:
Monitoring Dialer Activity: The service appears to monitor events from the com.skt.prod.dialer package (the stock dialer app), potentially allowing it to detect when the user is attempting to make calls using apps other than the malware itself.
Automatic Permission Granting: The service seems capable of detecting permission prompts from the com.google.android.permissioncontroller (system permission manager) and com.android.systemui (system UI). Upon detecting specific events (e.g., TYPE_WINDOW_STATE_CHANGED), it can automatically grant permissions for the malware, bypassing user consent.
Remote Control: The malware enables remote attackers to take full control of the victim’s device UI, allowing them to simulate user interactions, such as clicks, gestures, and navigation across apps. This capability enables the attacker to manipulate the device with precision.
Phone Listener Service
This service acts as a conduit between the malware and its Command and Control (C2) server, allowing the attacker to issue commands and execute actions on the infected device. Like its predecessor, the new variant provides attackers with a comprehensive set of capabilities (see the table below). Some functionalities have been moved to native code, while others are new additions, further enhancing the malware’s ability to compromise devices.
The Kaspersky post from 2022 said that the only language supported by FakeCall was Korean and that the Trojan appeared to target several specific banks in South Korea. Last year, researchers from security firm ThreatFabric said the Trojan had begun supporting English, Japanese, and Chinese, although there were no indications people speaking those languages were actually targeted.
Android 15 started rolling out to Pixel devices Tuesday and will arrive, through various third-party efforts, on other Android devices at some point. There is always a bunch of little changes to discover in an Android release, whether by reading, poking around, or letting your phone show you 25 new things after it restarts.
In Android 15, some of the most notable involve making your device less appealing to snoops and thieves and more secure against the kids to whom you hand your phone to keep them quiet at dinner. There are also smart fixes for screen sharing, OTP codes, and cellular hacking prevention, but details about them are spread across Google’s own docs and blogs and various news site’s reports.
Here’s what is notable and new in how Android 15 handles privacy and security.
Private Space for apps
In the Android 15 settings, you can find “Private Space,” where you can set up a separate PIN code, password, biometric check, and optional Google account for apps you don’t want to be available to anybody who happens to have your phone. This could add a layer of protection onto sensitive apps, like banking and shopping apps, or hide other apps for whatever reason.
In your list of apps, drag any app down to the lock space that now appears in the bottom right. It will only be shown as a lock until you unlock it; you will then see the apps available in your new Private Space. After that, you should probably delete it from the main app list. Dave Taylor has a rundown of the process and its quirks.
It’s obviously more involved than Apple’s “Hide and Require Face ID” tap option but with potentially more robust hiding of the app.
Hiding passwords and OTP codes
A second form of authentication is good security, but allowing apps to access the notification text with the code in it? Not so good. In Android 15, a new permission, likely to be given only to the most critical apps, prevents the leaking of one-time passcodes (OTPs) to other apps waiting for them. Sharing your screen will also hide OTP notifications, along with usernames, passwords, and credit card numbers.
Google called the DOJ extending search remedies to AI “radical,” an “overreach.”
The US Department of Justice finally proposed sweeping remedies to destroy Google’s search monopoly late yesterday, and, predictably, Google is not loving any of it.
On top of predictable asks—like potentially requiring Google to share search data with rivals, restricting distribution agreements with browsers like Firefox and device makers like Apple, and breaking off Chrome or Android—the DOJ proposed remedies to keep Google from blocking competition in “the evolving search industry.” And those extra steps threaten Google’s stake in the nascent AI search world.
This is only the first step in the remedies stage of litigation, but Google is already showing resistance to both expected and unexpected remedies that the DOJ proposed. In a blog from Google’s vice president of regulatory affairs, Lee-Anne Mulholland, the company accused the DOJ of “overreach,” suggesting that proposed remedies are “radical” and “go far beyond the specific legal issues in this case.”
From here, discovery will proceed as the DOJ makes a case to broaden the scope of proposed remedies and Google raises its defense to keep remedies as narrowly tailored as possible. After that phase concludes, the DOJ will propose its final judgement on remedies in November, which must be fully revised by March 2025 for the court to then order remedies.
Even then, however, the trial is unlikely to conclude, as Google plans to appeal. In August, Mozilla’s spokesperson told Ars that the trial could drag on for years before any remedies are put in place.
In the meantime, Google plans to continue focusing on building out its search empire, Google’s president of global affairs, Kent Walker, said in August. This presumably includes innovations in AI search that the DOJ fears may further entrench Google’s dominant position.
Scrutiny of Google’s every move in the AI industry will likely only be heightened in that period. As Google has already begun seeking exclusive AI deals with companies like Apple, it risks appearing to engage in the same kinds of anti-competitive behavior in AI markets as the court has already condemned. And giving that impression could not only impact remedies ordered by the court, but also potentially weaken Google’s chances of winning on appeal, Lee Hepner, an antitrust attorney monitoring the trial for the American Economic Liberties Project, told Ars.
Ending Google’s monopoly starts with default deals
In the DOJ’s proposed remedy framework, the DOJ says that there’s still so much more to consider before landing on final remedies that it reserves “the right to add or remove potential proposed remedies.”
Through discovery, DOJ said that it plans to continue engaging experts and stakeholders “to learn not just about the relevant markets themselves but also about adjacent markets as well as remedies from other jurisdictions that could affect or inform the optimal remedies in this action.
“To be effective, these remedies… must include some degree of flexibility because market developments are not always easy to predict and the mechanisms and incentives for circumvention are endless,” the DOJ said.
Ultimately, the DOJ said that any remedies sought should be “mutually reinforcing” and work to “unfetter” Google’s current monopoly in general search services and general text advertising markets. That effort would include removing barriers to competition—like distribution and revenue-sharing agreements—as well as denying Google monopoly profits and preventing Google from monopolizing “related markets in the future,” the DOJ said.
Any effort to undo Google’s monopoly starts with ending Google’s control over “the most popular distribution channels,” the DOJ said. At one point during the trial, for example, a witness accidentally blurted out that Apple gets a 36 percent cut from its Safari deal with Google. Lucrative default deals like that leave rivals with “little-to-no incentive to compete for users,” the DOJ said.
“Fully remedying these harms requires not only ending Google’s control of distribution today, but also ensuring Google cannot control the distribution of tomorrow,” the DOJ warned.
To dislodge this key peg propping up Google’s search monopoly, some options include ending Google’s default deals altogether, which would “limit or prohibit default agreements, preinstallation agreements, and other revenue-sharing arrangements related to search and search-related products, potentially with or without the use of a choice screen.”
A breakup could be necessary
Behavior and structural remedies may also be needed, the DOJ proposed, to “prevent Google from using products such as Chrome, Play, and Android to advantage Google search and Google search-related products and features—including emerging search access points and features, such as artificial intelligence—over rivals or new entrants.” That could mean spinning off the Chrome browser or restricting Google from preinstalling its search engine as the default in Chrome or on Android devices.
In her blog, Mulholland conceded that “this case is about a set of search distribution contracts” but claimed that “overbroad restrictions on distribution contracts” would create friction for Google users and “reduce revenue for companies like Mozilla” as well as Android smart phone makers.
Asked to comment on supposedly feared revenue losses, a Mozilla spokesperson told Ars, “[We are] closely monitoring the legal process and considering its potential impact on Mozilla and how we can positively influence the next steps. Mozilla has always championed competition and choice online, particularly in search. Firefox continues to offer a range of search options, and we remain committed to serving our users’ preferences while fostering a competitive market.”
Mulholland also warned that “splitting off” Chrome or Android from Google’s search business “would break them” and potentially “raise the cost of devices,” because “few companies would have the ability or incentive to keep them open source, or to invest in them at the same level we do.”
“We’ve invested billions of dollars in Chrome and Android,” Mulholland wrote. “Chrome is a secure, fast, and free browser and its open-source code provides the backbone for numerous competing browsers. Android is a secure, innovative, and free open-source operating system that has enabled vast choice in the smartphone market, helping to keep the cost of phones low for billions of people.”
Google has long argued that its investment in open source Chrome and Android projects benefits developers whose businesses and customers would be harmed if those efforts lost critical funding.
“Features like Chrome’s Safe Browsing, Android’s security features, and Play Protect benefit from information and signals from a range of Google products and our threat-detection expertise,” Mulholland wrote. “Severing Chrome and Android would jeopardize security and make patching security bugs harder.”
Hepner told Ars that Android could potentially thrive if broken off from Google, suggesting that through discovery, it will become clearer what would happen if either Google product was severed from the company.
“I think others would agree that Android is a company that is capable [being] a standalone entity,” Hepner said. “It could be independently monetized through relationships with device manufacturers, web browsers, alternative Play Stores that are not under Google’s umbrella. And that if that were the case, what you would see is that Android and the operating system marketplace begins to evolve to meet the needs and demands of innovative products that are not being created just by Google. And you’ll see that dictating the evolution of the marketplace and fundamentally the flow of information across our society.”
Mulholland also claimed that sharing search data with rivals risked exposing users to privacy and security risks, but the DOJ vowed to be “mindful of potential user privacy concerns in the context of data sharing” while distinguishing “genuine privacy concerns” from “pretextual arguments” potentially misleading the court regarding alleged risks.
One possible way around privacy concerns, the DOJ suggested, would be prohibiting Google from collecting the kind of sensitive data that cannot be shared with rivals.
Finally, to stop Google from charging supra-competitive prices for ads, the DOJ is “evaluating remedies” like licensing or syndicating Google’s ad feed “independent of its search results.” Further, the DOJ may require more transparency, forcing Google to provide detailed “search query reports” featuring currently obscured “information related to its search text ads auction and ad monetization.”
Stakeholders were divided on whether the DOJ’s initial framework is appropriate.
Matt Schruers, the CEO of a trade association called the Computer & Communications Industry Association (which represents Big Tech companies like Google), criticized the DOJ’s “hodgepodge of structural and behavioral remedies” as going “far beyond” what’s needed to address harms.
“Any remedy should be narrowly tailored to address specific conduct, which in this case was a set of search distribution contracts,” Schruers said. “Instead, the proposed DOJ remedies would reshape numerous industries and products, which would harm consumers and innovation in these dynamic markets.”
But a senior vice president of public affairs for Google search rival DuckDuckGo, Kamyl Bazbaz, praised the DOJ’s framework as being “anchored to the court’s ruling” and appropriately broad.
“This proposal smartly takes aim at breaking Google’s illegal hold on the general search market now and ushers in a new era of enduring competition moving forward,” Bazbaz said. “The framework understands that no single remedy can undo Google’s illegal monopoly, it will require a range of behavioral and structural remedies to free the market.”
Bazbaz expects that “Google is going to use every resource at its disposal to discredit this proposal,” suggesting that “should be taken as a sign this framework can create real competition.”
AI deals could weaken Google’s appeal, expert says
Google appears particularly disturbed by the DOJ’s insistence that remedies must be forward-looking and prevent Google from leveraging its existing monopoly power “to feed artificial intelligence features.”
As Google sees it, the DOJ’s attempt to attack Google’s AI business “comes at a time when competition in how people find information is blooming, with all sorts of new entrants emerging and new technologies like AI transforming the industry.”
But the DOJ has warned that Google’s search monopoly potentially feeding AI features “is an emerging barrier to competition and risks further entrenching Google’s dominance.”
The DOJ has apparently been weighing some of the biggest complaints about Google’s AI training when mulling remedies. That includes listening to frustrated site owners who can’t afford to block Google from scraping data for AI training because the same exact crawler indexes their content in Google search results. Those site owners have “little choice” but to allow AI training or else sacrifice traffic from Google search, The Seattle Times reported.
Remedy options may come with consequences
Remedies in the search trial might change that. In their proposal, the DOJ said it’s considering remedies that would “prohibit Google from using contracts or other practices to undermine rivals’ access to web content and level the playing field by requiring Google to allow websites crawled for Google search to opt out of training or appearing in any Google-owned artificial-intelligence product or feature on Google search,” such as Google’s controversial AI summaries.
Hepner told Ars that “it’s not surprising at all” that remedies cover both search and AI because “at the core of Google’s monopoly power is its enormous scale and access to data.”
“The Justice Department is clearly thinking creatively,” Hepner said, noting that “the ability for content creators to opt out of having their material and work product used to train Google’s AI systems is an interesting approach to depriving Google of its immense scale.”
The DOJ is also eyeing controls on Google’s use of scale to power AI advertising technologies like Performance Max to end Google’s supracompetitive pricing on text ads for good.
It’s critical to think about the future, the DOJ argued in its framework, because “Google’s anticompetitive conduct resulted in interlocking and pernicious harms that present unprecedented complexities in a highly evolving set of markets”—not just in the markets where Google holds monopoly powers.
Google disagrees with this alleged “government overreach.”
“Hampering Google’s AI tools risks holding back American innovation at a critical moment,” Mulholland warned, claiming that AI is still new and “competition globally is fierce.”
“There are enormous risks to the government putting its thumb on the scale of this vital industry—skewing investment, distorting incentives, hobbling emerging business models—all at precisely the moment that we need to encourage investment, new business models, and American technological leadership,” Mulholland wrote.
Hepner told Ars that he thinks that the DOJ’s proposed remedies framework actually “meets the moment and matches the imperative to deprive Google of its monopoly hold on the search market, on search advertising, and potentially on future related markets.”
To ensure compliance with any remedies pursued, the DOJ also recommended “protections against circumvention and retaliation, including through novel paths to preserving dominance in the monopolized markets.”
That means Google might be required to “finance and report to a Court-appointed technical committee” charged with monitoring any Google missteps. The company may also have to agree to retain more records for longer—including chat messages that the company has been heavily criticized for deleting. And through this compliance monitoring, Google may also be prohibited from owning a large stake in any rivals.
If Google were ever found willfully non-compliant, the DOJ is considering a “range of provisions,” including risking more extreme structural or behavioral remedies or enduring extensions of compliance periods.
As the remedies stage continues through the spring, followed by Google’s prompt appeal, Hepner suggested that the DOJ could fight to start imposing remedies before the appeal concludes. Likely Google would just as strongly fight for any remedies to be delayed.
While the trial drags on, Hepner noted that Google already appears to be trying to strike another default deal with Apple that appears pretty similar to the controversial distribution deals at the heart of the search monopoly trial. In March, Apple started mulling using Google’s Gemini to exclusively power new AI features for the iPhone.
“This is basically the exact same anticompetitive behavior that they were found liable for,” Hepner told Ars, suggesting this could “weaken” Apple’s defense both against the DOJ’s broad framework of proposed remedies and during the appeal.
“If Google is actually engaging in the same anti-competitive conduct and artificial intelligence markets that they were found liable for in the search market, the court’s not going to look kindly on that relative to an appeal,” Hepner said.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
Thunderbird’s Android app, which is actually the K-9 Mail project reborn, is almost out. You can check it out a bit early in a beta that will feel pretty robust to most users.
Thunderbird, maintained by the Mozilla Foundation subsidiary MZLA, acquired the source code and naming rights to K-9 Mail, as announced in June 2022. The group also brought K-9 maintainer Christian Ketterer (or “cketti”) onto the project. Their initial goals, before a full rebrand into Thunderbird, involved importing Thunderbird’s automatic account setup, message filters, and mobile/desktop Thunderbird syncing.
At the tail end of 2023, however, Ketterer wrote on K-9’s blog that the punchlist of items before official Thunderbird-dom was taking longer than expected. But when it’s fully released, Thunderbird for Android will have those features. As such, beta testers are asked to check out a specific list of things to see if they work, including automatic setup, folder management, and K-9-to-Thunderbird transfer. The beta will not be “addressing longstanding issues,” Thunderbird’s blog post notes.
Launching Thunderbird for Android from K-9 Mail’s base makes a good deal of sense. Thunderbird’s desktop client has had a strange, disjointed life so far and is only just starting to regain a cohesive vision for what it wants to provide. For a long time now, K-9 Mail has been the Android email of choice for people who don’t want Gmail or Outlook, will not tolerate the default “Email” app on non-Google-blessed Android systems, and just want to see their messages.
“Picture a massive football stadium filled with fans month after month,” Reichenstein wrote to Ars. In that stadium, he writes:
5 percent (max) have a two-week trial ticket
2 percent have a yearly ticket
0.5 percent have a monthly ticket
0.5 percent are buying “all-time” tickets
But even if every lifetime ticket buyer showed up at once, that’s 10 percent of the stadium, Reichenstein said. Even without full visibility of every APK—”and what is happening in China at all,” he wrote—iA can assume 90 percent of users are “climbing over the fence.”
“Long story short, that’s how you can end up with 50,000 users and only 1,000 paying you,” Reichenstein wrote in the blog post.
Piracy doesn’t just mean lost revenue, Reichenstein wrote, but also increased demands for support, feature requests, and chances for bad ratings from people who never pay. And it builds over time. “You sell less apps through the [Play Store], but pirated users keep coming in because pirate sites don’t have such reviews. Reviews don’t matter much if the app is free.”
The iA numbers on macOS hint at a roughly 10 percent piracy rate. On iOS, it’s “not 0%,” but it’s “very, very hard to say what the numbers are”; there is also no “reset trick” or trials offered there.
A possible future unfreezing
Reichenstein wrote in the post and to Ars that sharing these kinds of numbers can invite critique from other app developers, both armchair and experienced. He’s seen that happening on Mastodon, Hacker News, and X (formerly Twitter). But “critical people are useful,” he noted, and he’s OK with people working backward to figure out how much iA might have made. (Google did not offer comment on aspects of iA’s post outside discussing Drive access policy.)
iA suggests that it might bring back Writer on Android, perhaps in a business-to-business scenario with direct payments. For now, it’s a slab of history, albeit far less valuable to the metaphorical Darth Vader that froze it.
Five years ago, researchers made a grim discovery—a legitimate Android app in the Google Play market that was surreptitiously made malicious by a library the developers used to earn advertising revenue. With that, the app was infected with code that caused 100 million infected devices to connect to attacker-controlled servers and download secret payloads.
Now, history is repeating itself. Researchers from the same Moscow, Russia-based security firm reported Monday that they found two new apps, downloaded from Play 11 million times, that were infected with the same malware family. The researchers, from Kaspersky, believe a malicious software developer kit for integrating advertising capabilities is once again responsible.
Clever tradecraft
Software developer kits, better known as SDKs, are apps that provide developers with frameworks that can greatly speed up the app-creation process by streamlining repetitive tasks. An unverified SDK module incorporated into the apps ostensibly supported the display of ads. Behind the scenes, it provided a host of advanced methods for stealthy communication with malicious servers, where the apps would upload user data and download malicious code that could be executed and updated at any time.
The stealthy malware family in both campaigns is known as Necro. This time, some variants use techniques such as steganography, an obfuscation method rarely seen in mobile malware. Some variants also deploy clever tradecraft to deliver malicious code that can run with heightened system rights. Once devices are infected with this variant, they contact an attacker-controlled command-and-control server and send web requests containing encrypted JSON data that reports information about each compromised device and application hosting the module.
The server, in turn, returns a JSON response that contains a link to a PNG image and associated metadata that includes the image hash. If the malicious module installed on the infected device confirms the hash is correct, it downloads the image.
The SDK module “uses a very simple steganographic algorithm,” Kaspersky researchers explained in a separate post. “If the MD5 check is successful, it extracts the contents of the PNG file—the pixel values in the ARGB channels—using standard Android tools. Then the getPixel method returns a value whose least significant byte contains the blue channel of the image, and processing begins in the code.”
The researchers continued:
If we consider the blue channel of the image as a byte array of dimension 1, then the first four bytes of the image are the size of the encoded payload in Little Endian format (from the least significant byte to the most significant). Next, the payload of the specified size is recorded: this is a JAR file encoded with Base64, which is loaded after decoding via DexClassLoader. Coral SDK loads the sdk.fkgh.mvp.SdkEntry class in a JAR file using the native library libcoral.so. This library has been obfuscated using the OLLVM tool. The starting point, or entry point, for execution within the loaded class is the run method.
Follow-on payloads that get installed download malicious plugins that can be mixed and matched for each infected device to perform a variety of different actions. One of the plugins allows code to run with elevated system rights. By default, Android bars privileged processes from using WebView, an extension in the OS for displaying webpages in apps. To bypass this safety restriction, Necro uses a hacking technique known as a reflection attack to create a separate instance of the WebView factory.
This plugin can also download and run other executable files that will replace links rendered through WebView. When running with the elevated system rights, these executables have the ability to modify URLs to add confirmation codes for paid subscriptions and download and execute code loaded at links controlled by the attacker. The researchers listed five separate payloads they encountered in their analysis of Necro.
The modular design of Necro opens myriad ways for the malware to behave. Kaspersky provided the following image that provides an overview.
The researchers found Necro in two Google Play apps. One was Wuta Camera, an app with 10 million downloads to date. Wuta Camera versions 6.3.2.148 through 6.3.6.148 contained the malicious SDK that infects apps. The app has since been updated to remove the malicious component. A separate app with roughly 1 million downloads—known as Max Browser—was also infected. That app is no longer available in Google Play.
The researchers also found Necro infecting a variety of Android apps available in alternative marketplaces. Those apps typically billed themselves as modified versions of legitimate apps such as Spotify, Minecraft, WhatsApp, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
People who are concerned they may be infected by Necro should check their devices for the presence of indicators of compromise listed at the end of this writeup.
Enlarge/ Emojipedia sample images of the new Unicode 16.0 emoji.
The Unicode Consortium has finalized and released version 16.0 of the Unicode standard, the elaborate character set that ensures that our phones, tablets, PCs, and other devices can all communicate and interoperate with each other. The update adds 5,185 new characters to the standard, bringing the total up to a whopping 154,998.
Of those 5,185 characters, the ones that will get the most attention are the eight new emoji characters, including a shovel, a fingerprint, a leafless tree, a radish (formally classified as “root vegetable”), a harp, a purple splat that evokes the ’90s Nickelodeon logo, and a flag for the island of Sark. The standout, of course, is “face with bags under eyes,” whose long-suffering thousand-yard stare perfectly encapsulates the era it has been born into. Per usual, Emojipedia has sample images that give you some idea of what these will look like when they’re implemented by various operating systems, apps, and services.
We last got new emoji in 2023’s Unicode 15.1 update, though all of these designs were technically modifications of existing emoji rather than new characters—many emoji, most notably for skin and hair color variants, use a base emoji plus a modifier emoji, combined together with a “zero-width joiner” (ZWJ) character that makes them display as one character instead. The lime emoji in Unicode 15.1 was actually a lemon emoji combined with the color green; the phoenix was a regular bird joined to the fire emoji. This was likely because 15.1 was only intended as a minor update to 2022’s Unicode 15.0 standard.
Most of the Unicode 16.0 emoji, by contrast, are their own unique characters. The one exception is the Sark flag emoji; flag sequences are created by placing two “regional indicator letters” directly next to each other and don’t require a ZWJ character between them.
Incorporation into the Unicode standard is only the first step that new emoji and other characters take on their journey from someone’s mind to your phone or computer; software makers like Apple, Google, Microsoft, Samsung, and others need to design iterations that fit with their existing spin on the emoji characters, they need to release software updates that use the new characters, and people need to download and install them.
We’ve seen a few people share on social media that the Unicode 16.0 release includes a “greenwashing” emoji designed by Shepard Fairey, an artist best known for the 2008 Barack Obama “Hope” poster. This emoji, and an attempt to gin up controversy around it, is all an elaborate hoax: there’s a fake Unicode website announcing it, a fake lawsuit threat that purports to be from a real natural gas industry group, and a fake Cory Doctorow article about the entire “controversy” published in a fake version of Wired. These were all published to websites with convincing-looking but fake domains, all registered within a couple of weeks of each other in August 2024. The face-with-bags-under-eyes emoji feels like an appropriate response.
Enlarge/ It’s never explained what this collection of app icons quite represents. A disorganized app you tossed together by sideloading? A face that’s frowning because it’s rolling down a bar held up by app icons? It’s weird, but not quite evocative.
You might sideload an Android app, or manually install its APK package, if you’re using a custom version of Android that doesn’t include Google’s Play Store. Alternately, the app might be experimental, under development, or perhaps no longer maintained and offered by its developer. Until now, the existence of sideload-ready APKs on the web was something that seemed to be tolerated, if warned against, by Google.
This quiet standstill is being shaken up by a new feature in Google’s Play Integrity API. As reported by Android Authority, developer tools to push “remediation” dialogs during sideloading debuted at Google’s I/O conference in May, have begun showing up on users’ phones. Sideloaders of apps from the British shop Tesco, fandom app BeyBlade X, and ChatGPT have reported “Get this app from Play” prompts, which cannot be worked around. An Android gaming handheld user encountered a similarly worded prompt from Diablo Immortal on their device three months ago.
Google’s Play Integrity API is how apps have previously blocked access when loaded onto phones that are in some way modified from a stock OS with all Google Play integrations intact. Recently, a popular two-factor authentication app blocked access on rooted phones, including the security-minded GrapheneOS. Apps can call the Play Integrity API and get back an “integrity verdict,” relaying if the phone has a “trustworthy” software environment, has Google Play Protect enabled, and passes other software checks.
Graphene has questioned the veracity of Google’s Integrity API and SafetyNet Attestation systems, recommending instead standard Android hardware attestation. Rahman notes that apps do not have to take an all-or-nothing approach to integrity checking. Rather than block installation entirely, apps could call on the API only during sensitive actions, issuing a warning there. But not having a Play Store connection can also deprive developers of metrics, allow for installation on incompatible devices (and resulting bad reviews), and, of course, open the door to paid app piracy.
Google
“Unknown distribution channels” blocked
Google’s developer video about “Automatic integrity protection” (at the 12-minute, 24-second mark on YouTube) notes that “select” apps have access to automatic protection. This adds an automatic checking tool to your app and the “strongest version of Google Play’s anti-tamper protection.” “If users get your protected app from an unknown distribution channel,” a slide in the presentation reads, “they’ll be prompted to get it from Google Play,” available to “select Play Partners.”
LocalThunk, the pseudonymous lead developer of the surprise smash hit deckbuilding/roguelike/poker-math-simulation game Balatro, has long given the impression that he understands that his game, having sold 2 million copies, might be a little too good.
To that end, LocalThunk has made the game specifically not about actual gambling, or microtransactions, or anything of the kind. Shortly after it arrived in February 2024 (but after it already got its hooks into one of us), some storefronts removed or re-rated the game on concerns about its cards and chips themes, causing him to explain his line between random number generation (RNG), risk/reward mechanics, and actual gambling. He literally wrote it into his will that the game cannot be used in any kind of gambling or casino property.
So LocalThunk has done everything he can to ensure Balatro won’t waste people’s money. Time, though? If you’re a Balatro fan already, or more of a mobile gamer than a console or computer player, your time is in danger.
Balatro is coming to iOS, both in the Apple Arcade subscription and as a stand-alone title, and the Google Play Store on September 26. The pitch-perfect reveal trailer slowly ratchets up the procrastinatory terror, with the word “MOBILE” punctuating scenes of gameplay, traditional businessmen crying, “Jimbo Stonks” rising upward (Jimbo being the moniker of Balatro’s joker), and a world laid to waste by people chasing ever-more-elusive joker combos.
Please note in the trailer, at the 36-second mark, the “Trailer Ideas” for Balatro on Mobile, including “Announcing Balatro is now a Soulslike,” “Romanceable Jimbo Reveal,” and “It’s like that apocalypse movie with the meteor but instead Jimbo is in the sky.”
Playstack
Even more Balatro content is coming
The mobile version of Balatro is one of three updates LocalThunk has planned for 2025. A gameplay update is still due to arrive sometime this year, one that will be completely free for game owners. It won’t feel like a different game, or even a 1.5 version, LocalThunk told Polygon last month, but “extending that vision to, I think, its logical bounds instead of shifting directions … [M]ore about filling out the design space that currently exists, and then extending that design space in interesting directions that I think people are going to love.”
As we noted in our attempt to explain the ongoing popularity of roguelike deckbuilders, Balatro is LocalThunk’s first properly released game. He claims to have not played any such games before making Balatro but was fascinated by streams of Luck Be a Landlord, a game about “using a slot machine to earn rent money and defeat capitalism.” That game, plus influences of Cantonese game Big Two and the basics of poker (another game LocalThunk says he didn’t actually play), brought about the time-melting game as we know it.
A number of Ars writers have kept coming back to Balatro, time and again, since its release. It’s such a compelling game, especially for its indie-scale price, that none of us could really think of a way to write a stand-alone “review” of it. With its imminent arrival on iPhones, iPads, and Android devices, we’re due to re-educate ourselves on how much time is really in each day and which kinds of achievements our families and communities need to see from us.
Maybe the game won’t sync across platforms, and the impedance of having to start all over will be enough to prevent notable devolution. Maybe.
Phishers are using a novel technique to trick iOS and Android users into installing malicious apps that bypass safety guardrails built by both Apple and Google to prevent unauthorized apps.
Both mobile operating systems employ mechanisms designed to help users steer clear of apps that steal their personal information, passwords, or other sensitive data. iOS bars the installation of all apps other than those available in its App Store, an approach widely known as the Walled Garden. Android, meanwhile, is set by default to allow only apps available in Google Play. Sideloading—or the installation of apps from other markets—must be manually allowed, something Google warns against.
When native apps aren’t
Phishing campaigns making the rounds over the past nine months are using previously unseen ways to workaround these protections. The objective is to trick targets into installing a malicious app that masquerades as an official one from the targets’ bank. Once installed, the malicious app steals account credentials and sends them to the attacker in real time over Telegram.
“This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation,” Jakub Osmani, an analyst with security firm ESET, wrote Tuesday. “For iOS users, such an action might break any ‘walled garden’ assumptions about security. On Android, this could result in the silent installation of a special kind of APK, which on further inspection even appears to be installed from the Google Play store.”
The novel method involves enticing targets to install a special type of app known as a Progressive Web App. These apps rely solely on Web standards to render functionalities that have the feel and behavior of a native app, without the restrictions that come with them. The reliance on Web standards means PWAs, as they’re abbreviated, will in theory work on any platform running a standards-compliant browser, making them work equally well on iOS and Android. Once installed, users can add PWAs to their home screen, giving them a striking similarity to native apps.
While PWAs can apply to both iOS and Android, Osmani’s post uses PWA to apply to iOS apps and WebAPK to Android apps.
Enlarge/ Installed phishing PWA (left) and real banking app (right).
ESET
Enlarge/ Comparison between an installed phishing WebAPK (left) and real banking app (right).
ESET
The attack begins with a message sent either by text message, automated call, or through a malicious ad on Facebook or Instagram. When targets click on the link in the scam message, they open a page that looks similar to the App Store or Google Play.
Example of a malicious advertisement used in these campaigns.
ESET
Phishing landing page imitating Google Play.
ESET
ESET’s Osmani continued:
From here victims are asked to install a “new version” of the banking application; an example of this can be seen in Figure 2. Depending on the campaign, clicking on the install/update button launches the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (for Android users only), or as a PWA for iOS and Android users (if the campaign is not WebAPK based). This crucial installation step bypasses traditional browser warnings of “installing unknown apps”: this is the default behavior of Chrome’s WebAPK technology, which is abused by the attackers.
Example copycat installation page.
ESET
The process is a little different for iOS users, as an animated pop-up instructs victims how to add the phishing PWA to their home screen (see Figure 3). The pop-up copies the look of native iOS prompts. In the end, even iOS users are not warned about adding a potentially harmful app to their phone.
Figure 3 iOS pop-up instructions after clicking “Install” (credit: Michal Bláha)
ESET
After installation, victims are prompted to submit their Internet banking credentials to access their account via the new mobile banking app. All submitted information is sent to the attackers’ C&C servers.
The technique is made all the more effective because application information associated with the WebAPKs will show they were installed from Google Play and have been assigned no system privileges.
WebAPK info menu—notice the “No Permissions” at the top and “App details in store” section at the bottom.
ESET
So far, ESET is aware of the technique being used against customers of banks mostly in Czechia and less so in Hungary and Georgia. The attacks used two distinct command-and-control infrastructures, an indication that two different threat groups are using the technique.
“We expect more copycat applications to be created and distributed, since after installation it is difficult to separate the legitimate apps from the phishing ones,” Osmani said.
Back in July 2022, when mobile app metrics firm Branch acquired the popular and well-regarded Nova Launcher for Android, the app’s site put up one of those self-directed FAQ posts about it. Under the question heading “What does Branch want with Nova?,” Nova founder and creator Kevin Barry started his response with, “Not to mess it up, don’t worry!”
Branch (formerly/sometimes Branch Metrics) is a firm concerned with helping businesses track the links that lead into their apps, whether from SMS, email, marketing, or inside other apps. Nova, with its Sesame Search tool that helped users find and access deeper links—like heading straight to calling a car, rather than just opening a rideshare app—seemed like a reasonable fit.
Barry wrote that he had received a number of acquisition offers over the years, but he didn’t want to be swallowed by a giant corporation, an OEM, or a volatile startup. “Branch is different,” he wrote then, because they wanted to add staff to Nova, keep it available to the public, and mostly leave it alone.
Two years later, Branch has left Nova Launcher a bit too alone. As documented on Nova’s official X (formerly Twitter) account, and transcripts from its Discord, as of Thursday Nova had “gone from a team of around a dozen people” to just Barry, the founder, working alone. The Nova cuts were part of “a massive layoff” of purportedly more than 100 people across all of Branch, according to now-former Nova workers.
Barry wrote that he would keep working on Nova, “However I have less resources.” He would need to “cut scope” on an upcoming Nova release, he wrote. Other employees noted that customer support, marketing, and even correspondence would likely be strained or disappear.
Ars has reached out to Branch for comment and will update this post with response.
Some of the icon customization options, shown here on a tablet, inside Nova Launcher.
Nova Launcher
Custom, clean Android home screens
It’s hard to tell if Nova would have been better off without ever having been inside Branch, or if it might have inevitably run into the vexing question of how to get people to continually pay for an Android utility. But for Nova to be endangered, or at least heavily constrained, is a sad state for a very useful tool.
Installing a launcher on Android allows you to ignore whatever home screen, app tray, and search bars your phone came with and design your own. Nova Launcher allowed people to change how many icons showed up on their screen, and how big. It allowed for hiding default apps that could not be uninstalled. It was, and still is, one of the best ways to save your phone of bad skins, cruddy OEM software, and stuff for which you never asked.
In more than a dozen Ars reviews of Android devices touting organization concepts that people might not like—including Google’s own Pixels—Nova Launcher was recommended (minus one weird Razer/Nextbit phone that came with it by default). In his Pixel 7 Pro review, Ron Amadeo spells out one such way Nova saved the day:
The worst part of the Pixel software package is the home screen launcher, the primary interface of the phone, which is not nearly configurable enough. All I’m asking for is two things. First, I’d like many more icon grid size adjustments—the default 4×4 grid was fine when we were using 3.2-inch, 480p displays, but I now run a 7×5 grid in Nova launcher, and the Pixel launcher looks ridiculous. Second, I want to remove Google’s useless “At a Glance” widget, which takes up an incredible four icon slots to show the date and current outdoor temperature.
For the more than a decade that I used (and sometimes reviewed) Android phones, I maintained an exported Nova configuration file that I brought from phone to phone. I could experiment with theming, icon packs, and custom widgets (complete with deep links into app actions), but what that export really did was allow me to feel comfortable tinkering and messing with layout ideas. I could always go back to my rock-solid, no-nonsense layout of apps, spaced just how I liked them.
While Nova is not dead (despite mine and others‘ eulogistic tones), it’s certainly not positioned to launch bold new features or plot new futures. Here’s hoping Barry can make a go of Nova Launcher for as long as it’s viable for him.
