Hulu and Plex Rolling Out New Features for Streaming Video With Friends

Hulu is testing a new “Watch Party” feature that’s designed to allow up to eight people to watch TV shows and movies together through the Hulu website and chat with one another while the content is playing.


Some Hulu users who sign in on the web will see a popup describing the new Watch Party option, which is available for a select number of TV shows and movies. Watch Party is limited to customers who have the Hulu plan with no ads, and it is only on the web at this time

We’re testing something new on hulu.com so you can watch together, even when you’re apart. Start a Watch Party by clicking the watch party icon on the details page of your favorite shows and movies. Try it and tell us what you think.

Starting a Watch Party with friends can be done by choosing a TV show or movie that supports the feature and clicking on the Watch Party icon. Hulu then provides a link that can be shared with up to seven people, and when everyone has joined, the host can start the show.

Participants need to be logged into Hulu and watchers need to have the no ads Hulu subscription, priced at $12 per month. As the TV show or movie plays, participants can chat with one another through an included chat box, and each person using the service can control their own playback without impacting the rest of the group.

Watch Party is a Hulu-built feature that works in any browser that supports Hulu streaming, with no plug-ins or extensions required.


Along with Hulu, Plex has also announced a new “Watch Together” beta feature today, which is designed to allow multiple people to watch movies and TV shows through Plex for free. The feature works with all free on-demand content on Plex, as well as content from personal media libraries.

Plex’s feature has no communication option, however, and Plex recommends viewers use a separate chat app such as Zoom. Watch Together works on iOS, tvOS, Android devices, and Android TVs. Plex’s Watch Together feature is an early release and more functionality will be coming in the future. Unlike Hulu’s Watch Party, Watch Together is free to use.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Releases macOS Catalina 10.15.5 With Battery Health Management Features, Fix for Finder Freezing

Apple today released macOS Catalina 10.15.5, the fifth update to the ‌macOS Catalina‌ operating system that was released in October 2019. ‌macOS Catalina‌ 10.15.5 comes two months after the launch of ‌macOS Catalina‌ 10.15.4, which introduced Screen Time Communication Limits.


‌macOS Catalina‌ 10.15.5 is a free update that can be downloaded from the Mac App Store using the Update feature in the System Preferences app.

The ‌macOS Catalina‌ 10.15.5 update introduces a new Battery Health Management feature for Mac notebooks. Battery Health Management is meant to extend the overall lifespan of a Mac’s battery by reducing the rate of chemical aging.

Battery Health Management analyzes the battery health of a laptop and its charging pattern, and in some cases, it will preserve battery longevity and health by not charging a MacBook to its full capacity. Keeping a MacBook charged at its full capacity at all times can reduce battery health.


When a Mac is used plugged in and the battery is kept full all the time, the Battery Health Management feature will kick in and stop short of a full charge.

Battery Health Management is an optional feature that can be disabled through the System Preferences app, with instructions available in our how to.

The ‌macOS Catalina‌ 10.15.5 update also addresses an issue that caused large data transfers to RAID volumes to freeze up the Finder app. With the update, large data transfers will no longer cause Finder to become unresponsive.

After installing ‌macOS Catalina‌ 10.15.4, some Mac users began experiencing occasional system crashes, primarily caused by large file transfers. The new update should successfully fix the problem. Apple’s full release notes for ‌macOS Catalina‌ 10.15.5 are below.

‌macOS Catalina‌ 10.15.5 introduces battery health management in the Energy Saver settings for notebooks, an option to control automatic prominence of video tiles on Group FaceTime calls, and controls to fine-tune the built-in calibration of your Pro Display XDR. The update also improves the stability, reliability, and security of your Mac.

Battery Health Management
– Battery health management to help maximize battery lifespan for Mac notebooks
– Energy Saver preference pane now displays battery condition and recommends if the battery needs to be serviced
– Option to disable battery health management
– For more information, please visit https://support.apple.com/kb/HT211094

‌FaceTime‌ Prominence Preference
– Option to control automatic prominence on Group ‌FaceTime‌ calls so video tiles do not change size when a participant speaks

Calibration Fine-Tuning for Pro Display XDR
– Controls to fine-tune the built-in calibration of your Pro Display XDR by adjusting the white point and luminance for a precise match to your own display calibration target

This update also includes bug fixes and other improvements.
– Fixes an issue that may prevent Reminders from sending notifications for recurring reminders
– Addresses an issue that may prevent password entry on the login screen
– Fixes an issue where System Preferences would continue to show a notification badge even after installing an update
– Resolves an issue where the built-in camera may not be detected when trying to use it after using a video conferencing app
– Addresses an issue for Mac computers with the Apple T2 Security Chip where internal speakers may not appear as a sound output device in Sound preferences
– Fixes a stability issue with uploading and downloading media files from iCloud Photo Library while your Mac is asleep
– Resolves a stability issue when transferring large amounts of data to RAID volumes
– Fixes an issue where the Reduce Motion Accessibility preference did not reduce the speed of animations in a ‌FaceTime‌ group call

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Insidious Android malware gives up all malicious features but one to gain stealth – 10 minute mail

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version

Functionality

After starting, DEFENSOR ID requests the following permissions:

  • allow modify system settings
  • permit drawing over other apps, and
  • activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.


 

Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database – see Figure 6.

Figure 6. The banking app test: the credentials as entered (left) and as available in the database (right)

Second, we wrote a test message in an email client. We saw the message uploaded to the attackers’ server within a second – see Figure 7.

Figure 7. The email message test: the message as written (left) and as available in the database (right)

Third, we documented the trojan retrieving the Google Authenticator 2FA code.

Figure 8. The software generated 2FA code as it appeared on the device’s display (left) and as available in the database (right)

Along with the malicious DEFENSOR ID app, another malicious app named Defensor Digital was discovered. Both apps shared the same C&C server, but we couldn’t investigate the latter as it had already been removed from the Google Play store.

Indicators of Compromise (IoCs)

Package Name Hash ESET detection name
com.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A
com.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access    T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play.
T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application.
Discovery T1418 Application Discovery Sends list of installed apps on device.  
Impact   T1516 Input Injection Can enter text and perform clicks on behalf of user.
Collection T1417 Input Capture Records user input data.
Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C&C.



Lukas Stefanko


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Updating Schoolwork and Classroom Apps With New Distance-Learning Features and More

Apple is bringing some significant updates to several of its education apps, led by a new Schoolwork 2.0 for iPad and Mac, reports CNET.


Schoolwork is Apple’s app that allows teachers to distribute class materials known as Handouts to students, assign activities within compatible apps, collaborate with students, and view student progress. CNET says Schoolwork 2.0 will bring new feature like Files integration, speed improvements, and more.

Apple designed Schoolwork 2.0 to include features found in other ‌iPad‌ OS apps, like Files, and to speed up navigation around the software. There’s a new Handout library with a source list on the left side that makes it easier to navigate to different classes or the student’s library with drafts and favorites. On the right are cards with things like reminders for a field trip or a math assignment.

Other new features include a redesigned Handout detail view and new communication integration to let teachers FaceTime or message students at a tap.

In addition to Schoolwork, Apple is also updating its Classroom app for ‌iPad‌ that functions as a teaching assistant within a classroom to launch apps and websites across all devices in a classroom, share a student’s screen to the teacher’s ‌iPad‌ or a classroom Apple TV, share documents, and more.

The updated Classroom app includes pinch-to-zoom functionality, automatic syncing of Apple School Manager classes to the teacher’s Apple ID, and new temporary sessions for shared iPads.

The updated versions of Schoolwork and Classroom are coming “soon,” according to CNET, with no specific launch dates given.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Highlights Global Accessibility Awareness Day With App Store Features and New Today at Apple Video

Apple today is marking Global Accessibility Awareness Day with several new features across its sites and services to promote inclusion and access to technology for anyone with a disability.


On the front page of Apple.com, there’s a new section today with the tagline “Works the way you do” that links to the company’s existing Accessibility page, which highlights a number of personal stories as well as features of Apple’s products targeted at accessibility.


Over on the App Store, the Today section features several cards with the theme of “Designed for Accessibility.” The cards highlight stories about accessibility in apps including handcycling tracking in Strava, text-to-speech app Voice Dream Reader, a color-blind mode in Tint, hearing loss assistant SonicCloud, and Toca Life World’s inclusive character customization options for kids.


Finally, with most of Apple’s retail stores still closed, the company is continuing to focus on moving its Today at Apple sessions online with its series of Today at Apple at Home videos, and a new session on transitions and loops in the Clips app by Gus from Apple Carnegie Library is done entirely in American Sign Language. Audio narration and subtitles are also included.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Resolutions and Features of All-OLED iPhone 12 Lineup Detailed in New Report

Apple’s upcoming iPhones will all use flexible OLEDs sourced from either Samsung, BOE, and LG Display, with some new features like 10-bit color expected, according to a report from display analyst Ross Young.


On his site Display Supply Chain Consultants (DSCC), Young details “corrections and confirmations” on what we can expect from Apple’s upcoming 2020 iPhone lineup, which will consist of four new smartphones.

Some of these are rumors that we’ve heard before, while other information, mostly specific to displays, is new.

5.4-inch iPhone 12

Young says that the iPhone 12 will feature a flexible OLED display from Samsung Display, with Y-OCTA integrated touch. Y-OCTA is Samsung flexible display technology where the touch sensor is placed directly on the OLED panel without the need for a separate touch layer.

The 5.4-inch iPhone will feature a 2340 x 1080 resolution and 475 PPI.

6.1-inch iPhone 12 Max

The 6.1-inch “iPhone 12 Max” as Young calls it is expected to feature a flexible OLED sourced from BOE and LG Display with an add-on touch sensor and a resolution of 2532 x 1170 and 460 PPI.

6.1-inch iPhone 12 Pro

The higher-end Pro version of the 6.1-inch iPhone coming in 2020 will feature a Samsung Display flexible OLED, and Young says it will be one of the first smartphones with 10-bits of color, for more vibrant, true-to-life colors and a richer variety of color gradations.

The 6.1-inch iPhone 12 Pro is not expected to have Y-OCTA technology and it will feature the same resolution as the 6.1-inch iPhone 12 at 2532 x 1170 and 460 PPI.

Young says that Apple may be bringing extreme dynamic range (XDR) to its iPhone lineup, which is specified as 1,000 nits of full screen brightness and 1,600 nits of peak brightness. Samsung displays can’t hit this level, though, and thus if Apple does use XDR, XDR specifications will need to be tweaked.

Apple is rumored to be linking XDR (extreme dynamic range) compatibility to the iPhone 12 series. XDR performance on its monitors is specified by Apple as 1000 nits of full screen brightness, 1600 nits of peak brightness, 1M:1 contrast, 10-bits of color and ~100% P3 wide color gamut. To date, Samsung Display has only achieved 1342 nits of peak brightness and full screen brightness of 828 nits on smartphones, so if Apple does use XDR, the XDR specifications for brightness will need to change. Given the lower black levels in its OLED smartphones vs. its XDR monitor, contrast should actually be higher on its smartphones, in fact, DisplayMate measures the latest Samsung Display OLED contrast ratios as infinite in low ambient light.

Young also reiterates details he’s previously shared about rumors suggesting Apple will bring 120Hz ProMotion displays to the iPhone 12 lineup.

Apple’s iPhone 12 is not expected to use low-power LTPO technology, a feature Young believes is necessary for a fully functional 120Hz display given the power saving capabilities of LTPO technology.

Without LTPO, 120Hz is still possible, but it could be limited to non-native resolutions or it will be a significant power drain.

6.7-inch iPhone 12 Pro Max

The largest iPhone 12 Pro model that Apple plans to release in 2020 will feature a 6.68-inch display with a resolution of 2778 x 1284 at 458 PPI.

Young believes this model will have Y-OCTA support, 10-bit color, and will be XDR capable. Like the iPhone 12 Pro, it could also have a 120Hz refresh rate, but again, without LTPO.

Production

According to Young, panel production on components for the new 2020 iPhones will start approximately six weeks late, which means it will begin at the end of July. Young believes that this implies a delay in the iPhone 12 launch from September to October. There have been other rumors suggesting a possible delay, and Apple did stagger the launches of the iPhone XS and XR in 2018, so we could see a similar situation this year.

This year’s iPhones are expected to feature OLED across the board, smaller notches for the front-facing camera, 5G for all models, and more, with full details on what to expect available in our iPhone 12 roundup.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Firefox 76 Now Available on Mac With Improved Password Management Features

Mozilla today released the latest version of its Firefox browser, Firefox 76, which includes password management updates, picture-in-picture support, better Zoom integration, and more.


The new Firefox update includes improvements for Firefox Lockwise, which offers built-in password management features much like Safari to protect saved passwords.

Firefox Lockwise will require a device’s account password before allowing a saved password to be copied, and it will let users know if a website breach has occurred that compromises a login and password.

It also provides an alert for vulnerable passwords, which are passwords used for more than one site. The password generating feature that creates random passwords has also been rolled out to more sites.

The update includes picture-in-picture functionality, allowing users to watch video in a small window even when browsing other sites, and it supports Audio Worklets, so Firefox users can join Zoom calls in the Firefox browser without the need for additional downloads.

Firefox 76 is available as of today and can be downloaded from the Firefox website. Current Firefox users can upgrade from within the browser.

Top Stories

Jon Prosser: Apple to Announce 13-Inch MacBook Pro Refresh Today

Apple today will announce a refresh of the 13-inch MacBook Pro, according to Jon Prosser of the YouTube channel Front Page Tech. Rumors have suggested that the new model could be a 14-inch MacBook Pro with slightly slimmer bezels around the display, in line with the 16-inch MacBook Pro replacing the 15-inch model last year.
The new 13-inch or 14-inch MacBook Pro is also expected to feature…

iPhone 12 Lineup With OLED Displays Predicted to Start at $649, Breaking the $999 Barrier

Apple has never sold a new iPhone with an OLED display for under $999, but with the iPhone 12 lineup expected to include a wider range of models, that could soon change.
iPhone 12 pricing could start at $649 this year, according to Jon Prosser of the YouTube channel Front Page Tech. Prosser says this information comes from his same source who accurately revealed the new iPhone SE’s launch…

Apple Watch ECG Helps Detect Case of Coronary Ischemia Missed by Hospital ECG

The single-lead ECG function on Apple Watch isn’t meant to be as informative or as sensitive as the multi-lead ECGs you might get in a doctor’s office or hospital, which use several points of contact. However, a new article in The European Heart Journal tells the story of an 80-year-old woman whose Apple Watch detected evidence of a heart condition that was missed by a hospital ECG (via 9to5Mac).

RIP Butterfly Keyboard: Apple Finally Completes Transition to Magic Keyboard

After years of complaints over sticky or unresponsive keys, Apple has finally finished transitioning its notebook lineup away from its issue-prone butterfly keyboard.
With the new 13-inch MacBook Pro featuring the same scissor switch Magic Keyboard as the 16-inch MacBook Pro, Apple no longer sells any new MacBook Pro or MacBook Air models with a butterfly keyboard. If you are browsing Apple’s…

App Recap: Views 4, CleanMyMac X, MacTracker and Major App Updates

In this week’s App Recap, we’ve highlighted two new apps that are worth checking out. We’ve also compiled a list of apps that received major updates this week.
New Apps Views 4 ($4.99) – Views 4 is a news and podcasts app that presents content tailored to the interests of the user. Upon downloading the app, users are presented with a series of screens that allow for the selection of…

Apple iMessage Patent Describes the Ability to Edit Already Sent Texts

The U.S. Patent and Trademark Office this week published a new Apple patent application that details features for editing sent messages, an improved application launcher and many other possible features. (via AppleInsider)
The patent application specifically describes features of “a messaging user interface of a message application” that are not currently in iOS. These include ways to easily …

Camera Comparison: 2020 iPhone SE vs. iPhone 8 and iPhone 11 Pro

Apple last week launched its new 2020 iPhone SE, a low-cost $399 smartphone that features iPhone 8 components upgraded with the same A13 chip available in Apple’s flagship iPhones. We did a full hands-on video back on Friday, but we took the weekend to see how the iPhone SE’s camera measures up to the iPhone 8 and iPhone 11 Pro.
Subscribe to the MacRumors YouTube channel for more videos. …

Apple CEO Tim Cook on New Products: ‘We Have Our Head Down and Are Working’

During today’s earnings call covering the second fiscal quarter of 2020, Apple CEO Tim Cook provided some insight on what we can expect from Apple in terms of new products during the global health crisis. A mockup of an iPhone 12 with smaller notch Cook said that Apple is continuing to operate, and that Apple employees are getting used to working from home. “In some areas of the company, some …

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Google’s New True Wireless Pixel Buds Mimic Two Key AirPods Features

Google launched its second-generation Pixel Buds this week to generally favorable reviews, thanks in part to a couple of new features that AirPods owners have appreciated for some time.


The new Pixel Buds use a pairing process on Android 6.0+ phones called Fast Pair: Hold the case near your phone, flip the lid, and a screen pops up on the screen to indicate automatic pairing, which links them to the user’s Google account.

Apart from the obvious UI differences, that’s pretty much identical to the way you connect a pair of AirPods to iPhone. But the similarities don’t stop there. Google is also making it easier to find misplaced Pixel Buds. From Google’s blog:

It can be frustrating when you put your Bluetooth headphones down and immediately forget where you placed them. If they’re connected to your phone, you can locate your headphones by ringing them… And, when you misplace your headphones, in the coming months, you can check their last known location in the Find My Device app if you have Location History turned on.

Sound familiar? Apple’s ‌Find My‌ app includes a Find my AirPods feature that plays a tone to help users recover nearby ‌‌AirPods‌ connected to iPhone or iPad. It also shows the last known location of ‌AirPods‌ if they’re no longer connected.

Credit where it’s due, Google appears to have implemented the features well, including notifying users when the earbuds and case battery are running low upon connection. The company says it plans to include its Fast Pair technology in other audio accessories, just like Apple added its instant-pairing W1 and H1 chips to its wireless Beats line.

The new Pixel Buds are compatible with iOS, but don’t expect the new seamless pairing features to work with ‌iPhone‌ (the same goes for ‌AirPods‌ on Android). Unlike AirPods Pro, Pixel Buds don’t include active noise canceling either, instead offering something called Adaptive Sound that automatically adjusts the volume based on the wearer’s surroundings.

Features like Adaptive Sound and other settings are accessible in the Pixel Buds app on devices running Android 6.0 and later. The Pixel Buds software are also built into the settings menu as a system-level app on Pixel phones. Google’s new Pixel Buds are priced at $179 in the U.S. and can be ordered on the Google Play Store.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Stantinko’s new cryptominer features unique obfuscation techniques – 10 minute mail

ESET researchers bring to light unique obfuscation techniques discovered in the course of analyzing a new cryptomining module distributed by the Stantinko group’s botnet

In the new cryptomining module we discovered and described in our previous article, the cybercriminals behind the Stantinko botnet introduced several obfuscation techniques, some of which have not yet been publicly described. In this article, we dissect these techniques and describe possible countermeasures against some of them.

To thwart the analysis and avoid detection, Stantinko’s new module uses various obfuscation techniques:

  • Obfuscation of strings – meaningful strings are constructed and only present in memory when they are to be used
  • Control-flow obfuscation – transformation of the control flow to a form that is hard to read and the execution order of basic blocks is unpredictable without extensive analysis
  • Dead code – addition of code that is never executed; it also contains exports that are never called. Its purpose is to make the files look more legitimate to prevent detection
  • Do-nothing code – addition of code that is executed, but that has no material effect on the overall functionality. It is meant to bypass behavioral detections
  • Dead strings and resources – addition of resources and strings with no impact on the functionality

Out of these techniques, the most notable are obfuscation of strings and control-flow obfuscation; we will describe them in detail in the following sections.

All the strings embedded in the module are unrelated to the real functionality. Their source is unknown and they either serve as building blocks for constructing the strings that are actually used or they are not used at all.

The actual strings used by the malware are generated in memory in order to avoid file-based detection and thwart analysis. They are formed by rearranging bytes of the decoy strings – those embedded in the module – and using standard functions for string manipulation, such as strcpy(), strcat(), strncat(), strncpy(), sprintf(), memmove() and their Unicode versions.

Since all the strings to be used in a particular function are always assembled sequentially at the beginning of the function, one can emulate the entry points of the functions and extract the sequences of printable characters that arise to reveal the strings.

Figure 1. Example of string obfuscation. There are 7 highlighted decoy strings in the image. For example, the one marked in red generates the string “NameService”.

Control-flow flattening is an obfuscation technique used to thwart analysis and avoid detection.

Common control-flow flattening is achieved by splitting a single function into basic blocks. These blocks are then placed as dispatches into a switch statement inside of a loop (i.e. each dispatch consists of exactly one basic block). There is a control variable to determine which basic block should be executed in the switch statement; its initial value is assigned before the loop.

The basic blocks are all assigned an ID and the control variable always holds the ID of the basic block to be executed.

All the basic blocks set the value of the control variable to the ID of its successor (a basic block can have multiple possible successors; in that case the immediate successor can be chosen in a condition).

Figure 2. Structure of common control-flow-flattening loop

There are various approaches to resolving this obfuscation, such as using IDA’s microcode API. Rolf Rolles used this method to identify these loops heuristically, extract the control variable from each flattened block and rearrange them in accordance with the control variables.

This – and similar – approaches would not work on Stantinko’s obfuscation, because it has some unique features compared to common control-flow-flattening obfuscations:

  • Code is flattened on the source code level, which also means the compiler can introduce some anomalies into the resulting binary
  • The control variable is incremented in a control block (to be explained later), not in basic blocks
  • Dispatches contain multiple basic blocks (the division may be disjunctive, i.e. each basic block belongs to exactly one dispatch, but sometimes the dispatches intertwine, meaning that they share some basic blocks)
  • Flattening loops can be nested and successive
  • Multiple functions are merged

These features show that Stantinko has introduced new obstacles to this technique that must be overcome in order to analyze its final payload.

Control-flow flattening in Stantinko

In most of Stantinko’s functions, the code is split into several dispatches (described above) and two control blocks — a head and a tail — that control the flow of the function.

The head decides which dispatch should be executed by checking the control variable. The tail increases the control variable by a fixed constant and either goes back to the head or exits the flattening loop:

Figure 3. Regular structure of Stantinko’s control-flow-flattening loop

Stantinko appears to be flattening code of all functions and bodies of high-level constructs (such as a for loop), but sometimes it also tends to choose seemingly random blocks of code. Since it applies the control-flow-flattening loops on both functions and high-level constructs, they can be naturally nested and there happen to be multiple consecutive loops too.

When a control-flow-flattening loop is created by merging code of multiple functions, the control variable in the resulting merged function is initialized with different values, based on which of the original functions is called. The value of the control variable is passed to the resulting function as a parameter.

We overcame this obfuscation technique by rearranging the blocks in the binary; our approach is described in the next section.

It’s important to note that we observed multiple anomalies in some of the flattening loops that make it harder to automate the deobfuscation process. The majority of them seem to be generated by the compiler; this leads us to believe that the control-flow-flattening obfuscation is applied prior to compilation.

We witnessed the following anomalies; they can appear separately or in combination:

  1. Some dispatches can be just dead code – they will never be executed. (Examples in the section “Dead code inside the control-flow-flattening loop” below.)
  2. Basic blocks inside of dispatches may intertwine, this means that they can contain joint code.

Figure 4. Structure of a flattening loop with dispatches sharing joint code

  1. There are direct jumps from dispatches to a block outside the flattening loop, right behind the tail, and to blocks that return from the function.

Figure 5. Structure of a flattening loop whose dispatch breaks directly out of the loop. Only one of the dashed lines occurs.

  1. There can be multiple tails, or no tail at all – in the latter case, the control variable is increased at the end of each dispatch.

Figure 6. Structure of a flattening loop without any tail (left) and with multiple tails (right)

  1. The head doesn’t contain a jump table right away. Instead, there can be multiple jump tables and there’s a sequence of branches, prior to the jump tables, binary-searching for the correct dispatch.
  2. The value of the control variable might be used inside of the dispatches; this means that the control value has to be preserved/computed even in the deobfuscated code.

Figure 7. The EDI register contains the control variable that is passed to EAX and used inside the dispatch. The dispatch is highlighted with red.

  1. Sometimes, the tail contains instructions that are crucial to restoring the correct values of registers and local variables. During deobfuscation, we remove the tail, so we must make sure these instructions are executed after each dispatch, even if they are not part of it.
  2. There are cases where there is no dispatch whose ID is equal to the, at that moment, equal to the current value of the control variable.

Deobfuscation

Our goal is to build a deobfuscation function able to rearrange the code on the binary level to make it easily readable for a reverse engineer, while keeping the resulting code executable. It has to be able to recognize all basic blocks belonging to each dispatch and to copy and move them arbitrarily.

During basic block manipulation one has to make sure to recalculate relative addresses of branch targets and addresses forming legitimate jump tables correctly.

Our solution doesn’t take relocations into account, hence one always needs to make sure that the sample is loaded at the same base address.

We used a reverse-engineering framework that provides us with some useful features, such as assembly manipulation and a symbolic execution engine.

The core parameters of the function are the addresses of the control blocks (head and tails), range and step of the control variable, names of the registers, and the memory locations containing the control variable, control_locations, and, lastly, the address of the first basic block following the loop, which we define as next_block. It obviously also requires the address of the function to be deobfuscated and the address where the deobfuscated function should be placed.

We expect multiple tails due to anomaly 4 above.

The deobfuscation function iterates through the range of the control variable by its step value to simulate the real control-flow-flattening loop; in each iteration, the function starts by generating a context to deal with anomalies 6 and 7. The context is to be placed before the respective dispatch.

The context is a basic block containing instructions assigning registers and memory addresses and keeping control_locations updated. The context of the first iteration just preserves the value of the control variable. (Note: no context is required to deal with anomaly number 4.)

The last basic blocks of the previous dispatch (or, in case of the first dispatch, the basic blocks right before the head) are redirected to the created context.

The initial basic block of a dispatch that is to be executed (in each of the iterations) is determined by the current value of the control variable (dispatch ID).

The actual basic block is found by symbolically executing the binary-search algorithm, which searches for a basic block with the current ID. The initial state of the symbolic execution contains control_locations assigned to the current value of the control variable.

We stop the symbolic execution at the first basic block that (i) contains an unconditional branch, or, (ii) has a destination that cannot be determined by the control variable.

One could also emulate this part or use a framework that would be able to simplify the binary-search algorithm into a jump table and then convert that into a switch statement instead. These methods deal with anomaly 5.

In case there’s no dispatch for a particular ID, the loop just continues and increases the control variable due to anomaly 8.

The whole dispatch (i.e., each basic block that is reachable from its initial basic block to its head, tail(s) or next_block) is then copied after the preceding context block (as described above). It cannot be just moved due to anomaly 2.

There are currently two uncommon cases that can occur due to anomaly 3; both result in premature termination of the iteration. The cases happen when a dispatch:

  • Returns from the function
  • Points to next_block

Finally, when the iteration ends, the last basic blocks of the previous dispatch (or basic blocks right before the head, in case of the first dispatch), are redirected to the first basic block outside the flattening loop.

This method solves anomaly 1 automatically, since the dead dispatches won’t be copied into the resulting code.

Figure 8. Example of an obfuscated function (left) and its deobfuscated counterpart (right). The dispatches are executed in this order: dispatch1 → dispatch2 → dispatch3.

These changes are then written to the virtual address where the deobfuscated function should be placed.

In case we are dealing with flattening of merged functions, we point references to the target function having the identical initial value of the control variable in the parameter, to the address of the new deobfuscated function.

Figure 9. Example of obfuscated (right) and deobfuscated (left) control flow graph

Possible improvements

The approach described above operates exclusively at the assembly level, which isn’t sufficient to make the deobfuscation fully automated.

The reason is that accurate recognition of all patterns is rather difficult, mostly due to various compiler optimizations present in the source code level obfuscations. The pattern recognition is necessary in our case, for example, to automatically fill in the parameters of the core deobfuscation function.

The advantage of this approach is that the resulting code can be executed right away and one can use arbitrary reverse-engineering tools for further analysis.

This approach could be further improved by the use of a progressive intermediate representation (IR), which provides optimization techniques that would, among other things, get rid of most of the anomalies generated by compilers, and thus allow automated recognition of the parameters required by the deobfuscation function.

One could also use the selected IR for both recognition and the deobfuscation of which the latter, in our case, consists of rearranging of basic blocks.

The drawback of this option is that the resulting code would also be in the IR, which means that the consecutive analysis would have to be done with the IR as well. The number of tools working with the IR and their functionality could be rather limited, especially when it comes to visualization. Due to this, it’d be hard to analyze a more complex sample, especially when there are additional layers of obfuscation. We wouldn’t be able to execute the resulting code either.

By “dead code” we mean code that either is never executed, or has no overall impact on the functionality. The malware contains dead code mostly in the flattened loops (effectively removed by our above-explained deobfuscation function), but there are also, for example, unused exports and there’s no way to distinguish the unused exports from the legitimate ones.

As for dead code in the flattened loop: for Stantinko, it is always inside the dispatches that are never executed. It may contain modified parts of legitimate software such as WinSpy++ (see the example below) that was obfuscated in the same way.

Figure 10. Deobfuscated part of dead code inside a dispatch containing legitimate WinSpy++ code

Figure 11. The equivalent part of code (as in Figure 10) in the official release of WinSpy++

Even after the unflattening operation, there are parts of code that have no purpose at all, intermingled with the lines of the “real code”. This is probably meant to obscure the analysis even more or to bypass behavioral detection.

Figure 12. Marked parts are redundant code that iterates through the first two disk volume names and then does nothing with the returned values

Since the code isn’t much harder to read, we decided not to take any actions and analyzed the code at this point.

To optimize out this do-nothing code in general: we’d have to, for example, generate disjunct slices containing all the Windows API calls that are present. The slicing criterion would consist of all the parameters of the calls in each disjunct slice.

Subsequently we’d execute the slices with a prepared call stack in a controlled environment and we’d consider a slice to be functional if it does at least one of the following:

  • make some changes to the underlying OS
  • require an initial value of a function parameter or a global variable to be known
  • assign a value of a function parameter or a global variable
  • directly affect overall control flow of the function

The criminals behind the Stantinko botnet are constantly improving and developing new modules that often contain non-standard and interesting techniques.

We have described their new cryptomining module previously; for the module’s functional analysis, refer to our November 2019 blogpost. This module displays several obfuscation techniques aimed at protecting against detection and thwarting analysis. We analyzed the techniques and described a possible approach to deobfuscating some of these techniques.

Note: For IoCs and the list of techniques mapped to the MITRE ATT&CK taxonomy, please refer to our previous article describing this cryptominer’s functionality.



Vladislav Hrčka


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iPhone SE vs. iPhone XR: Features Compared

After nearly a year of rumors, Apple has finally introduced the 2020 edition of the iPhone SE. The device shares the same design as the iPhone 8, including a 4.7-inch display and a Touch ID home button, but it has a faster A13 Bionic chip and an extra GB of RAM. Most importantly, the new iPhone SE starts at just $399 in the United States.


With the iPhone 8 and iPhone 8 Plus now discontinued, the lower end of Apple’s smartphone lineup now includes the new iPhone SE and the iPhone XR, released in October 2018. Thinking about upgrading? Read our comparison of the devices below.

Differences

Smaller vs. Larger Display

The new iPhone SE has a 4.7-inch display, while the iPhone XR has a 6.1-inch display.

Both displays are LCDs with 326 pixels per inch, True Tone, 625 nits max brightness, a 1400:1 contrast ratio, and support for the P3 wide color gamut.

A13 Bionic vs. A12 Bionic

The new iPhone SE is powered by the A13 Bionic, which is the same latest-and-greatest chip inside the iPhone 11 and iPhone 11 Pro. By comparison, the iPhone XR is equipped with the previous-generation A12 Bionic chip.


Apple advertises the A13 chip as up to 20 percent faster and up to 30 percent more power efficient than the A12 chip.

Bezels vs. Notch

The new iPhone SE has the same design as the iPhone 8, with thicker bezels above and below the display for the front camera and Touch ID home button. By comparison, the iPhone XR drops the home button and instead has a nearly edge to edge display with a notch at the top for the front camera and Face ID sensors.

Touch ID vs. Face ID

The iPhone SE has a Touch ID home button for fingerprint authentication, while the iPhone XR uses Apple’s more advanced Face ID system for facial authentication.

Face ID debuted on the ‌iPhone‌ X in 2017. At the time, Apple said the probability that a random person could unlock someone else’s ‌iPhone‌ X was approximately one in 1,000,000, versus one in 50,000 for ‌Touch ID‌. However, both forms of authentication are quite safe, so it really comes down to personal preference.


Face ID does not work well with masks, while Touch ID does not work well with wet or sweaty fingers, so neither system is perfect.

Since the new iPhone SE lacks Face ID, it does not support Animoji or Memoji.

Rear Camera

While both the new iPhone SE and the iPhone XR are equipped with a single 12-megapixel wide-angle rear camera with an f/1.8 aperture, the iPhone XR has a newer sensor with 1.4µm pixels and larger Focus Pixels, whereas the iPhone SE has the same sensor as the iPhone 8. However, the new iPhone SE benefits from the A13 chip’s improved image signal processor, so the gap between the cameras is likely minimal.

Battery Life

As a physically larger device, the iPhone XR has longer battery life than the new iPhone SE.

Apple says the new iPhone SE can last up to 13 hours for non-streaming video playback and up to 40 hours for audio playback, which is about the same as the iPhone 8. By comparison, Apple says the iPhone XR lasts up to 16 hours for non-streamed video playback and up to 65 hours for audio playback.

Wi-Fi

The new iPhone SE supports Wi-Fi 6, aka 802.11ax, while the iPhone XR supports Wi-Fi 5 or 802.11ac.

Wi-Fi 6 delivers faster speeds, greater network capacity, improved power efficiency, lower latency, and connectivity improvements in areas with several Wi-Fi devices. Wi-Fi 6 devices are also required to support WPA3, the latest Wi-Fi security protocol with improved cryptographic strength.

LTE

The new iPhone SE supports Gigabit-class LTE, potentially allowing for slightly faster LTE speeds compared to the iPhone XR.

Thickness and Weight

The new iPhone SE is 7.3mm thick and weighs 0.3 pounds, while the iPhone XR is slightly thicker and heavier at 8.3mm and 0.4 pounds.

Pricing

The new iPhone SE starts at $399, while the iPhone XR starts at $599, both with 64GB of storage. Both devices are also available with 128GB of storage, but only the iPhone SE has a 256GB option as of now.

For perspective, the iPhone SE with 256GB of storage for $549 is still cheaper than the iPhone XR with 64GB of storage for $599.

Colors

Both the new iPhone SE and iPhone XR come in Black, White, and (RED), and the iPhone XR is also available in Blue, Coral, and Yellow.

Similarities

  • Glass and aluminum design
  • Wireless charging
  • Fast charging with USB-C: up to 50% battery life in 30 minutes
  • IP67-rated water resistance to a depth of 1 meter for up to 30 minutes
  • 4K video recording at up to 60 FPS
  • Lightning connector
  • No headphone jack
  • Dual SIM (nano-SIM and eSIM)
  • Bluetooth 5.0
  • VoLTE
  • Dolby Vision and HDR10 support
  • EarPods with Lightning connector in box

Tech Specs Compared

iPhone SE

  • 4.7-inch LCD display
  • 1334×750 resolution and 326 PPI
  • True Tone display
  • Single 12-megapixel rear camera (wide lens)
  • Single 7-megapixel front camera
  • Portrait Mode with Depth Control: humans only
  • Six Portrait Lighting effects
  • Next-gen Smart HDR
  • A13 Bionic chip with third-gen Neural Engine
  • Touch ID
  • Haptic Touch
  • Lightning connector
  • Fast charging capable: up to 50% charge in 30 minutes
  • Qi-based wireless charging
  • IP67-rated water resistance to a depth of 1 meter for up to 30 minutes
  • 64/128/256GB
  • Dual SIM (Nano-SIM and eSIM)
  • Gigabit-class LTE
  • VoLTE
  • 802.11ax Wi‑Fi 6
  • Bluetooth 5.0
  • 3GB RAM
  • Similar battery life as iPhone 8

iPhone XR

  • 6.1-inch LCD display
  • 1792×828 resolution and 326 PPI
  • True Tone display
  • Single 12-megapixel rear camera (wide lens)
  • Single 7-megapixel front camera
  • Portrait Mode with Depth Control: humans only
  • Three Portrait Lighting effects
  • Smart HDR
  • A12 Bionic chip with second-gen Neural Engine
  • Face ID
  • Haptic Touch
  • Lightning connector
  • Fast charging capable: up to 50% charge in 30 minutes
  • Qi-based wireless charging
  • IP67-rated water resistance to a depth of 1 meter for up to 30 minutes
  • 64/128GB (256GB discontinued)
  • Dual SIM (Nano-SIM and eSIM)
  • LTE Advanced
  • VoLTE
  • 802.11ac Wi‑Fi 5
  • Bluetooth 5.0
  • 3GB RAM
  • 1.5 hours longer battery life than iPhone 8 Plus

Bottom Line

If price is the key factor in your upgrade decision, then the new iPhone SE is a very compelling device considering that it has the same A13 Bionic chip as the iPhone 11 Pro despite starting at just $399.

If you are upgrading from an older device like an iPhone 6 or iPhone 7, you will already be familiar with the home button experience on the new iPhone SE, whereas Face ID and gestures on the iPhone X and newer take some time to get used to. And with a 4.7-inch display, the new iPhone SE is also the same size as the iPhone 6, iPhone 7, and iPhone 8.

The new iPhone SE might also receive at least one additional year of iOS updates compared to the iPhone XR given its newer A13 Bionic chip.

Two reasons to choose the iPhone XR over the new iPhone SE would be its larger 6.1-inch display and its modern design with slim bezels, a notch, and Face ID. The new iPhone SE could quite possibly end up being the last iPhone that Apple sells with a home button, so those who choose the new iPhone SE will be settling for an older design.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.