Lowyat.NET: Latest topics by KuLi

[NOTICE]SMISHING IN ALL ANDROIDS

KuLi — Tue, 06 Nov 2012 08:25:55 +0800

mods shld pin this.

stay safe, and happy androiding.

QUOTE

NC State University researchers have discovered an SMS phishing (smishing) vulnerability in the Android Open Source Project (AOSP) and thus is present in almost all Android versions, including Donut (1.6), Éclair (2.1), Froyo (2.2), Gingerbread (2.3), Ice Cream Sandwich (4.0), and Jelly Bean (4.1). They have tested the flaw on multiple popular Android devices, including the Google Galaxy Nexus, the Google Nexus S, the HTC One X, the HTC Inspire, the Xiaomi MI-One, and the Samsung Galaxy S3.

A video of the researchers exploiting the security hole in the last one was uploaded on YouTube just yesterday, catching our eye:

[YOUTUBE]gLujaf0Y4-A[/YOUTUBE]

As you can see, smishing is a social engineering technique that uses cell phone text messages to bait victims into divulging their personal information, such as passwords for user accounts. The hook is usually a Web site URL in the text message, or a phone number that connects to an automated voice response system.

This particular vulnerability allows for smishing since an Android app can fake arbitrary text messages, making it appear that the user has received an SMS from someone on the phone’s contact list or say, from a trusted bank. The good news is that the researchers immediately contacted Google about the flaw, and the company responded promptly and positively:

We notified the Google Android Security Team on 10/30/2012 and were — as always — impressed to receive their response within 10 minutes. The confirmation of the vulnerability presence arrived on 11/1/2012 — two days after our initial report. From their response, we can infer that they took this issue seriously and investigated it without delay.

The vulnerability is now confirmed and we [were] told that a change will be included in a future Android release. We are not aware of any active exploitation of this issue.

The last part is also crucial: the researchers are unaware of the flaw being exploited in the wild. Since they responsibly disclosed the vulnerability to Google, it will hopefully be fixed before malicious parties can take advantage.

The group promises not to publish the details of the vulnerability until a final fix is out. In the meantime, you can protect yourself in two ways. The first is being cautious when downloading and installing apps (particularly from unknown sources) and the second is paying close attention to received text messages to try avoid being duped by possible phishing attacks.

It’s not clear how quickly and effectively Google will be able to deliver a patch to its users. Given how slow Android users are in adopting new versions, for various reasons that are rarely their fault, this issue may end up causing problems for months if not years to come.

FUD alert: 72% of all Android apps on Google Play access permissions they shouldn’t

sauce

ANDROID 4.2

KuLi — Tue, 30 Oct 2012 07:51:08 +0800

Most impressive is the Multi panorama. But always the question is, how fast is the rollout?
LOL

QUOTE

Android 4.2 Jelly Bean is now official, following Google's announcement of the Nexus 4 and Nexus 10. There are a lot of new things to cover, so let's not waste any time.

Multiple user accounts

Android 4.2 Jelly Bean for tablets adds multiple user-support to the OS. This way everyone in the household can have an account, which once logged in, welcomes them to their own homescreen, background, widgets and apps. Even the games keep the individual high scores and levels.

Settings center in the notifications drawer

The expandable notifications were a welcomed addition in Android 4.1, but now in Android 4.2, you can also take various actions like toggling Wi-Fi, adjusting screen brightness, go to Airplane mode, and more.
To do so, just tap on the icon on the top right once you have the notification drawer on. It took Google a while to copy the time-saving feature that TouchWiz, SenseUI and many other manufacturer Android skins implemented a while ago. Still, it's good to have it backed in right into the OS.

Photo Sphere

With Android 4.0, Google introduced the Panorama capturing mode, and now with Android 4.2 Jelly Bean users will get a cool feature dubbed Photo Sphere. It's a panorama mode on steroids and allows you to capture photos in multiple directions (up, down, left, right).
After they've been captured and saved as JPEG files you can view them and navigate around the whole image. You can share the image on Google+ or, if you feel like it, contribute the Photo Sphere to Google Maps.
The feature itself was inspired by Street View, as the Product Management Director for Android Hugo Barra points out. He adds that the photos pack embedded XML metadata in them allowing you to easily share them on Google+ and put them in Google+ photo albums, where your friends can view them as well.

Google Now is updated

Google has added a lot of new cards to its Google Now service. It now can feed data directly from Gmail, which will provide new cards, such as package shipments info.
Google Now also got cards for events, restaurant reservations, hotels, and flights. Some of them, like hotels and flights will be location specific. There are also new cards like movie screenings, concerts, stocks, public alerts and developing stories & breaking news.
Naturally, most of them won't be available world-wide at launch, but make sure that Google will work hard to bring them to more and more places in the future.

Gesture Typing

Forget about Swype, Android's very own Gesture typing is the new cool kid on the block. It works in a manner very similar to Swype -- you just Swipe your finger over the letters you want to type, lifting after each word is complete.

Naturally, the Gesture Typing feature benefits from the already existing Android word prediction, so you can just click on the words the keyboard suggests. This comes in addition to the offline voice typing service that Google offers, which makes for an all-round great messaging experience.
Wireless TV integration
Better late than never, finally in this version of Android Google has allows you to wirelessly share the screen of your phone or display with a big screen TV set.

All you need to do is connect a wireless display adapter to an HDMI-enabled TV and then it'll start mirroring whats on your screen using DLNA. The new feature uses the Miracast protocol for streaming.
It's another feature most customs launchers had, but is only now making its way to the platform itself.

Widgets on the lock screen

Widgets are a major part in Android and now you can assign a widget on the lockscreen as well. Think of the Music player widget on the lockscreen, but now you can assign another one there, so it's always just a click away.

Daydream

Android 4.2 Jelly Bean isn't just business and no play. Google has integrated a little feature called Daydream, which is simply a sort of a screensaver. Once turned on, you can set it up to show photo albums, latest news from Google Currents and more when the device is either docked or idle.

Various improvements

Android 4.2 Jelly Bean has a lot going for it, including some minor additions. You can now use pinch-to-zoom in Gmail for enhancing reading, triple-tap to magnify the entire homescreen and the pan and zoom with two fingers, as well as added speech output and gesture mode navigation for the visually impaired users.
Expect Android 4.2 Jelly Bean to start its roll-out once the new Nexus family of devices goes on sale on November 13.

[security alert!] android prone to wipeout!

KuLi — Thu, 27 Sep 2012 23:09:40 +0800

Cldnt find previous thread. Maybe mod deleted. Dunno why but everybody shld be alerted of this.
Highly important lor.

[QUOTE]
On the 21st of September, the Indian developer Ravi Borgaonkar held a security conference in Buenos Airies, titled "the Abuse of USSD codes on mobile networks." To demonstrate the serious security problems associated with USSD codes, he wiped a Galaxy S2, simply by clicking on a link on a malicious website.

How did it happen?
Borgaonkar entered the USSD code *2767*3855# on his Galaxy S2, which reset his phone to its factory settings; a process which is performed differently on different Android models. On some, like the HTC One X, the device asks you whether or not you want to delete all your apps and restore your phone to its factory settings or if you want to do that AND delete all your pictures, music, and personal files saved to the SD card. On the Galaxy S3, the process (just) deletes all your apps, system application data and settings.

A USSD code is entered into phones to perform actions. They are mainly used by network operators to provide customers with easy access to pre-configured services, including call-forwarding, balance inquiries and multiple SIM functions. These shortcuts are also used by many manufacturers to control system functions. But they are mainly intended for internal use and thus rarely communicated to the user.

Where is the Security Hole?

Normally, when entering a USSD code, you must enter it into the keypad of your phone and tap the call button. But Borgaonkar's code skips this step and automatically runs in the background, without the user noticing anything.
The USSD code links the browser to the phone app. That means: When I click on a telephone number in my browser, the phone App opens with the previously clicked number and I only have to hit the "call" button.
The HTML code to execute such an action is as follows:
<a href="tel:xyz">Click here to call us directly</a>
Now, I only need to replace the "xyz" with the USSD code *2767*3855#, and the HTML code becomes far more nefarious:
<a href="tel:*2767*3855#"> Click here to call us directly </ a>
The command above assumes that the user clicks on the link, so that the phone app is launched. Borgaonkar has embedded this command in a frame, which looks like this:
<frameset> <frame src="tel:*2767*3855#" /> </ frameset>
Now, if this code is embedded in a website and the smartphone visits the site, the phone will immediately and without further inquiry dial this number. But that in itself is still not the problem, since usually the user would have to explicity tap the call button in order to dial the number.

But the security breach is worse than that, since the call is immediately performed in the background, without any confirmation needed by the user. Rather, the call is placed covertly. And if hiding behind the number is not a phone number but a corresponding USSD shortcut, there is a problem. In Borgaonkar's demonstration this means that the Galaxy S2 can visit a malicious website and immediately begin the factory reset without the user knowing what's happening.
So this is not just a Samsung issue but an Android issue, as well?
Yes. Running USSD codes in the background via a malicious website seems to be a cross-vendor problem. Samsung only had the misfortune of being the test dummy. Already, folks have demonstrated the issue on Motorola and HTC phones as well.
Are there any other entry points?
Yes, any app that has access to your browser can perform this action automatically via a website. It can perform the action via QR codes, NFC tags and WAP Push messages.

Sauce

Is this consider bully or abuse?

KuLi — Sun, 09 Sep 2012 01:16:46 +0800

-- Please keep your post concise to ensure a speedy review from us. We suggest 250 words or less. --

Recently in the android forum, and note2 thread, got many ppl talking out of topic and non-related to the device.
Even the frutie staff is guilty of indulging in this.
As a responsible forummer, I advised them to discontinue such behavior. Instead of being supportive, this was what fruitie staff said...

QUOTE(fruitie @ Sep 9 2012, 01:08 AM)

Well, I don't see the problem to discuss even before the device is available.

And, let me remind you in case you have forgotten. Please refer to RBR's latest warn on you. You could click on your warn log. I shall not hesitate to add more for you and get yourself some necessary "rest".

We have been getting a lot of reports on you recently. I'm sorry but you are not in the position on LYN to set or impose any set of rule at your preference.
[right][snapback]54466517[/snapback][/right]

Of course, I have not imposed any rule, just given friendly reminder.

QUOTE(ezmeer94 @ Sep 9 2012, 12:13 AM)

never used digi but they will advertise new phones better compared maxis which im using
maxis speed rocks
[right][snapback]54465398[/snapback][/right]

QUOTE(KuLi @ Sep 9 2012, 12:36 AM)

STOP discussing abt telcos here! It's got nothing related to note2.
Stick to the topic!
[right][snapback]54465871[/snapback][/right]

[YELLOW ALERT] Whatsapp Vulnerable to Hijack

KuLi — Fri, 07 Sep 2012 07:58:48 +0800

to all android users, pls be extremely careful. the best way of course is delete whatsapp from ur android phone.
if too addicted, may consider blackberry/windows phone.

QUOTE

One web developer is now calling attention to a possible security risk in the popular WhatsApp messaging service on Android that could result in messages being intercepted or spoofed.

WhatsApp has become immensely popular – it recently hit a new record of 10 billion messages sent and received in a single day, but that popularity could make it a prime target for hackers and scammers.

Sam Granger (via Hacker News) notes that WhatsApp for Android is insecure because it uses a phone number for a username and a modified version of the IMEI number (inverted with an MD5 cryptographic hash, in case you were wondering) as a password. IMEI, or International Mobile Equipment Identity, is a number used for identifying certain types of phones.

The iPhone version of the app does not appear to have the flaw. Granger said he didn’t know whether the Windows Mobile and BlackBerry versions use the same password generation method.

Granger’s post isn’t particularly new information, as the WhatsApp Wikipedia entry already says that the service uses the phone number and IMEI. He does, however, point out that there are several “rather simple” ways to obtain both pieces of information.

“Is this already happening? It wouldn’t surprise me if it is,” he wrote. “I’ve succeeded in sending/receiving messages (from friends accounts who gave me permission to take their accounts over) and I’m not even a “hardcore hacker.””

Granger concluded by saying that he loves WhatsApp, but feel it’s “far from “secure.”"

TNW has contacted WhatsApp about the issue. So far, they’ve yet to respond, but we’ll update this post if they do.
This isn’t the first time that WhatsApp has faced criticism over security issues. In May 2011, a security hole was discovered that allowed accounts to be hijacked.

Meanwhile, some scammers are even using WhatsApp’s name (and popularity) to trick people. Last month, we noticed a number of Facebook apps trying to pass themselves off as the service.

http://thenextweb.com/apps/2012/09/06/what...-imei-password/

Being given warning

KuLi — Sat, 01 Sep 2012 12:35:39 +0800

i was given a 10% warning even though i had given friendly warning to another user not to post hate comments.

i was happy that the mod finally deleted the thread but he was abt few hours late.

but i was very shocked that a warning was given even though i took the sense to do my duty as a responsible forummer.

[Breaking News] get pregnant by 3D

KuLi — Mon, 27 Aug 2012 09:05:58 +0800

Dun watch violent films, otherwise can get hurt and die also.

Meizu MX4

KuLi — Tue, 24 Jul 2012 07:58:35 +0800

Hi guys. This looks cool or not?

QUOTE

Key features

Quad-band GSM and penta-band 3G support
21.6 Mbps HSDPA and 5.76 Mbps HSUPA
4.0" 16M-color ASV capacitive touchscreen of 640 x 960 pixel resolution; Gorilla glass
Heavily skinned Android OS v4.0 ("Flyme OS")
1.4 GHz quad-core Cortex-A9 CPU, Mali-400MP GPU, Exynos 4212 Quad chipset, 1GB of RAM
8 MP wide-angle autofocus camera with LED flash, face and smile detection; Wide Dynamic Mode
Up to 1080p video recording @ 30fps
Wi-Fi 802.11 b, g and n support; Wi-Fi hotspot
GPS with A-GPS connectivity; Digital compass
32/64GB of internal storage
Accelerometer, gyroscope and proximity sensor
Charging MHL microUSB port with USB host, TV-out support (1080p via an optional adapter) and S/PDIF-out for dock connection
Standard 3.5 mm audio jack
Stereo Bluetooth v2.1
Active noise cancellation with a dedicated mic
VGA secondary video-call camera
Full Flash support
Document editor
File manager comes preinstalled
Impressively rich audio and video format support

Main disadvantages

Tries too hard to beat the iPhone at its own game
Sub-par viewing angles and sunlight legibility
Looks exactly like its predecessor
No dedicated camera key (but cool Gesture captuire option and volume rocker alternative)
Non-expandable internal storage
Battery not user replaceable
No FM radio

[WTAnnounce] dead trigger FREE

KuLi — Mon, 23 Jul 2012 22:05:55 +0800

Interesting development.
Even 0.99 game also kena pirated kaw kaw.

Those who paid dunno can ask for refund or not?
Butthurt.

QUOTE

One of the hottest mobile games of this summer – Dead Trigger – is now free on Android’s Play Store. This is not a limited time promotion, nor has the developer implemented in-game ads to make up for drop in price.

The reason is something Android has been blamed since its dawn – the piracy rate.

Mad Finger, the game’s developer, says the reason behind the permanent price drop is the “unbelievably high” piracy. It also stresses the game will remain free to play – you won’t need to buy anything from the in-app purchases (though if you want to, you can).

Dead Trigger used to cost $0.99 on Android and the people who already paid the price are not happy with the reduction. You can tell by the one-star reviews the game has been getting lately in the Play Store.

The game still costs $0.99 on iOS and will stay this way.

Here is the official statement from Mad Finger.

“Regarding price drop. HERE is our statement. The main reason: piracy rate on Android devices, that was unbelievably high. At first we intend to make this game available for as many people as possible – that’s why it was for as little as buck. – It was much less than 8$ for SHADOWGUN but on the other hand we didn’t dare to provide it for free, since we hadn’t got XP with free-to-play format so far. – However, even for one buck, the piracy rate is soooo giant, that we finally decided to provide DEAD TRIGGER for free. Anyway – DEAD TRIGGER is not FREEMIUM, it always was and still remains FREE-TO-PLAY, that means, all players are able to play it without IAP! We stand up for this statement, because all members of our team are playing (and enjoying) DEAD TRIGGER without IAP.”

I think it is time Google to do something on the matter. While the openness of the platform makes it easy to download otherwise paid apps for free from internet this is one of the main reasons why iOS gets the hottest games and updates first, and why the Android community needs to wait (like Fieldrunners 2).

If the developers don’t get enough return of their investments, then you can’t blame them for taking their time with their Android products (or not releasing anything on Android at all).

sauce

TP T882

KuLi — Sun, 10 Jun 2012 13:22:27 +0800

latest ice cream sandwich firmware.

design looks not bad. anybody seen this in malaysia ady?

[addedon]June 10, 2012, 1:31 pm[/addedon]only 1300RMB nia

android is dead

KuLi — Fri, 04 May 2012 22:55:06 +0800

For months now, I've been writing that in spite of the title of my site, there is no smartphone war.
iPhone won.
As I've written many times, the war now is between Apple and Samsung.
Recent datapoints have proven me correct. According to Horace Dediu/Asymco, Apple is now taking 73% of the smartphone industry's profits, with Samsung capturing 26%. For those of you with a liberal arts degree, that leaves just 1% profit for everyone else.
And that everyone includes Huwai and ZTE, LG and Sony, Motorola, Dell (sorta), HP (I think) and a host of other very large, once-capable companies.
There simply is no longer an iPhone vs Android war. It's Apple vs Samsung. And I'm beginning to wonder if we even need to concern ourselves with Android at all.
Nobody wants an Android tablet.
Almost no one has the latest version of Android.
The companies that most aggressively marketed the "Android" brand, particularly Motorola and HTC, are floundering. Samsung, you will notice, markets Samsung.
App developers continue to make far more money off iOS. Those Android app developers that do make any coin are typically found on Amazon, which is doing everything it can to alter (improve) the 'Android experience'.
Most mobile traffic comes via iPhone and iPad. Most Google searches come via iPhone. Google is *losing* money on Android. I have my doubts that any revenues generated via Android will ever total the full cost of Android -- once you include the Motorla purchase.
The ongoing Oracle - Google trial has exposed that Android has repeatedly led Google down a do-evil path.
The big carriers in the US (ATT, Verizon and Sprint) all acknowledge that iPhone outsells all Android devices combined.
China and India remain large markets for Android. However, these countries have shown a ready willingness to fork Android, and I strongly suspect that China, even if they approve the Motorola acquisition will consistently seek to hobble Google's power and scope.
Android has clearly thrown Google off its game. The Moto acquisition remains inexplicable -- and extremely costly. Android led Google to (allegedly) violate numerous patent/copyright laws. Android led Google to abandon its net neutrality stance and jump in bed with carriers.
Though now is re-thinking how closely aligned with Big Carriers they should be, even re-considering selling non-contract devices online.
The Oracle trial made clear that Android was designed for a small screen with a physical keyboard -- thus, not optimized for the touchscreen revolution. Android has followed iPhone down the 'app phone' path, despite the fact that apps have a strong potential to disintermediate Google's reach.
Around the world, iPhone is the preferred device.
Google still has almost no answer for the Android fragmentation problem. Google, for all its reach and for all the Android devices sold, has revealed it has almost no ability to pressure carriers or device makers to update to the latest OS in any reasonable amount of time.
I seriously doubt any Android device will rival iPhone 4S -- even by the time of the next iPhone.
Just like the "cola wars" are really about Coke vs Pepsi, so too are the smartphone wars. It's not iPhone vs Android, let's stop kidding ourselves about that, but iPhone vs Samsung.

sauce

this is quite true. even h1x is promoting their sense and not android.

Samsung's sCloud

KuLi — Sat, 21 Apr 2012 18:54:24 +0800

it is all abt cloud storage now. no more microSD or stuff like that.
1st it was HTC with dropbox and now samseng also intends to do the same.

QUOTE

According to Korean tech site MK, Samsung might be prepping up its very own cloud service. It's going to be called, and we are not joking, S-Cloud. In its core, it's going to be similar to Apple's iCloud, but will offer much more, according to the report.

For starters, there won't be any limitations on the things you could upload, which means it will work like Dropbox and the upcoming Google Drive. It'll even come with access to movies, popular TV shows and music. Free and paid content will also be available to various Samsung products such as laptops and tablets.
Furthermore, the amount of storage S-Cloud would offer is said to be more than 5GB, with Microsoft handling the server-side of the operations. We'll find if any of this is true on May 3, when Samsung will unveil its latest flagship Android smartphone.

TigerBot Malware For Android

KuLi — Tue, 10 Apr 2012 22:55:55 +0800

RED ALERT WARNING !

QUOTE

Researchers at NQ Mobile, working alongside researchers at North Carolina State University, have discovered new Android malware that is controlled via SMS that can do a number of things on the compromised device including recording calls and surrounding noise.

Called TigerBot, the recently discovered malware was found circulating in the wild via non-official Android channels. Once again, this discovery is proving the sensibility of only installing official applications, and only those available from known, legitimate sources such as Google Play.

TigerBot will hide itself on a compromised device by forgoing an icon on the home screen, and by masking itself with a legit application name such as Flash or System. Once installed an active, it will register a receiver with a high priority to listen to the intent with action “android.provider.Telephony.SMS_RECEIVED.”

“Upon receiving a new SMS message, TigerBot will check whether the message is a specific bot command. If so it will prevent this message from being seen by the users and then execute the command accordingly,” NQ explained on their blog.

Based on the code examination, NQ said that TigerBot can record sounds in the immediate area of the device, as well as calls themselves. It also has the ability to alter network settings, report its current GPS coordinates, capture and upload images, kill other processes, and reboot the phone.

“Our analysis shows that some of the above commands may not be perfectly supported... [For example] the command to kill other processes may only work on early Android versions,” NQ added.

The fact that TigerBot and any variants can be controlled without the user’s knowledge marks it as a serious risk, the mobile security firm said.

Again, the best bet to avoid infection comes from sticking to legit sources when downloading applications.

In addition, NQ said that users should always reject application requests from unknown sources, closely monitor permissions requested by any application, and reminded that applications shouldn't request permission to do more than what it offers in its official list of features.

sauce

Samsung Galaxy Tab 7.7 or Asus Transforemer Prime?

KuLi — Mon, 20 Feb 2012 00:05:24 +0800

dear all

which one can serve function as profesional tablet better?
i like the screen on the samsung but asus got quad core and ics.

hope for guidance from bro here.

Lowyat.NET: Latest topics by KuLi

[NOTICE]***SMISHING IN ALL ANDROIDS***

ANDROID 4.2

[security alert!] android prone to wipeout!

Is this consider bully or abuse?

[YELLOW ALERT] Whatsapp Vulnerable to Hijack

Being given warning

[Breaking News] get pregnant by 3D

Meizu MX4

[WTAnnounce] dead trigger FREE

TP T882

android is dead

Samsung's sCloud

TigerBot Malware For Android

Samsung Galaxy Tab 7.7 or Asus Transforemer Prime?

[NOTICE]SMISHING IN ALL ANDROIDS