Want to Avoid Malware on Your Android Phone? Try the F-Droid App Store

In the early days of Android, co-founder Andy Rubin set the stage for the fledgling mobile operating system. Android’s mission was to create smarter mobile devices, ones that were more aware of their owner’s behavior and location.“If people are smart,” Rubin told Business Week in 2003, “that information starts getting aggregated into consumer products.” A decade and a half later, that goal has become a reality: Android-powered gadgets are in the hands of billions and are loaded with software shipped by Google, the world’s largest ad broker.



Sean O’Brien and Michael Kwet are visiting fellows at Privacy Lab (@YalePrivacyLab), an initiative of the Information Society Project at Yale Law School. Contact them securely.

Our work at Yale Privacy Lab, made possible by Exodus Privacy’s app scanning software, revealed a huge problem with the Android app ecosystem. Google Play is filled with hidden trackers that siphon a smörgåsbord of data from all sensors, in all directions, unknown to the Android user.

As the profiles we’ve published about trackers reveal, apps in the Google Play store share a wide variety of data with advertisers, in creative and nuanced ways. These methods can be as invasive as ultrasonic tracking via TV speakers and microphones. Piles of information are being harvested via labyrinthine channels, with a heavy focus on retail marketing. This was the plan all along, wasn’t it? The smart mobile devices that comprise the Android ecosystem are designed to spy on users.

One week after our work was published and the Exodus scanner was announced, Google said it would expand its Unwanted Software Policy and implement click-through warnings in Android.

But this move does nothing to fix fundamental flaws in Google Play. A polluted ocean of apps is plaguing Android, an operating system built upon Free and Open-Source Software (FOSS) but now barely resembling those venerable roots. Today, the average Android device is not only susceptible to malware and trackers, it’s also heavily locked down and loaded with proprietary components—characteristics that are hardly the calling cards of the FOSS movement.

Though Android bears the moniker of open-source, the chain of trust between developers, distributors, and end-users is broken.

Google’s defective privacy and security controls have been made painfully real by a recent investigation into location tracking, massive outbreaks of malware, unwanted cryptomining, and our work on hidden trackers.

The Promise of Open-Source, Unfulfilled

It didn’t have to be this way. When Android was declared Google’s answer to the iPhone, there was palpable excitement across the Internet. Android was ostensibly based on GNU/Linux, the culmination of decades of hacker ingenuity meant to replace proprietary, locked-down software. Hackers worldwide hoped that Android would be a FOSS champion in the mobile arena. FOSS is the gold-standard for security, building that reputation over the decades because of its fundamental transparency.

As Android builds rolled out, however, it became clear that Rubin’s baby contained very little GNU, a vital anchor that keeps GNU/Linux operating systems transparent via a licensing strategy called copyleft, which requires modifications to be made available to end-users and prohibits proprietary derivatives. Such proprietary components can contain all kinds of nasty “features” that tread upon user privacy.

As a 2016 Ars Technica story made clear, there were directives inside Google to avoid copyleft code—except for the Linux kernel, which the company could not do without. Google preferred to bootstrap so-called permissively licensed code on top of Linux instead. Such code may be locked down and doesn’t require developers to disclose their modifications—or any of the source code for that matter.

Google’s choice to limit copyleft’s presence in Android, its disdain for reciprocal licenses, and its begrudging use of copyleft only when it “made sense to do so” are just symptoms of a deeper problem. In an environment without sufficient transparency, malware and trackers can thrive.

Android’s privacy and security woes are amplified by cellphone companies and hardware vendors, which bolt on dodgy Android apps and hardware drivers. Sure, most of Android is still open-source, but the door is wide open to all manners of software trickery you won’t find in an operating system like Debian GNU/Linux, which goes to great length to audit its software packages and protect user security.

Surveillance is not only a recurring problem on Android devices; it is encouraged by Google through its own ad services and developer tools. The company is a gatekeeper that not only makes it easy for app developers to insert tracker code, but also develops its own trackers and cloud infrastructure. Such an ecosystem is toxic for user privacy and security, whatever the results are for app developers and ad brokers.

Apple is currently under fire for its own lack of software transparency, admitting it had slowed down older iPhones. And iOS users should not breathe a sigh of relief in regard to hidden trackers, either. As we at Yale Privacy Lab noted in November: “Many of the same companies distributing Google Play apps also distribute apps via Apple, and tracker companies openly advertise Software Development Kits compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms.”

Transparency in software development and delivery leads to better security and privacy protection. Not only is auditable source code a requirement (thought not a guarantee) for security, but a clear and open process allows users to evaluate the trustworthiness of their software. Moreover, this clarity enables the security community to take a good, hard look at software and find any noxious or insecure components that may be hidden within.

The trackers we’ve found in Google Play are just one aspect of the problem, though they are shockingly pervasive. Google does screen apps during Google Play’s app submission process, but researchers are regularly finding scary new malware and there are no barriers to publishing an app filled with trackers.

Finding a Replacement

Yale Privacy Lab is now collaborating with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. For pure security reasons, F-Droid is the best replacement for Google Play, because it only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions. The F-Droid store doesn’t have anywhere near the app selection of Google Play; it has less than 3,000 app, compared to the primary app store’s selection of around 1.5 million. Of course, it can be used alongside Google Play, as well.

It’s true that Google does screen apps submitted to the Play store to filter out malware, but the process is still mostly automated and very quick— too quick to detect Android malware before it’s published, as we’ve seen.

Installing F-Droid isn’t a silver bullet, but it’s the first step in protecting yourself from malware. With this small change, you’ll even have bragging rights with your friends with iPhones, who are limited to Apple’s App Store unless they jailbreak their phones.

But why debate iPhone vs. Android, Apple vs. Google, anyway? Your privacy and security are massively more important than brand allegiance. Let’s debate digital freedom and servitude, free and unfree, private and spied-upon.

WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here.

More on Android, Malware, and Copyright

Moog musical Drummer From Another mom (DFAM): Price, Specs, Release Date

individuals at Moog Music aren’t content simply making ridiculously fun synthesizers, iPad apps, and effects boxes for creative artists. The organization now’s dipping into percussion—it’s latest item, announced today, is a drum device called the Drummer From Another mom.

Well, wait. It’s not exactly a drum machine. It’s really a monophonic, semi-modular, analog percussion synthesizer. That is clearly a lot to unpack, but what you ought to understand is whenever you turn on the DFAM and commence twisting the knobs, it makes great synthetic drum and percussion sounds—deep throbs, hypersonic plinks, and every thing in between.

The DFAM is monophonic, so automatically, it could only output one sound at any given time. Meaning, it is possible to arrange it to try out a kick drum pattern, or a snare drum pattern, or a tom-tom pattern, not all three at once (unless you utilize the area cables, but I’ll enter into that in somewhat). Most drum devices are polyphonic; they may be able reproduce the noises a peoples drummer would make sitting behind a drum kit. The DFAM, being monophonic, is more restricted. But as any musician will inform you, with restrictions come greater possibilities for experimentation.

I’ve spent some time using the DFAM before couple of weeks (Moog Music offered it being a DIY kit at its Moogfest meeting, and I also had been invited to solder one together in a workshop) and another of the great joys of the machine is the fact that you don’t really should know any single thing about drum development to begin getting some interesting tones from it. That’s mostly as it doesn’t look or work such a thing such as a regular drum device. It’s knobs and spot bays in which most drum machines might have tap-pads and LCD screens. Anybody also somewhat knowledgeable about steps to make a synth go “bleep” will feel at home.

Moog Music

After you get a quick lay of land, it is possible to quickly start building patterns. Dial in good starting sound, then run it through DFAM’s sequencer—it’s eight actions, and every action features its own velocity and pitch controls. As your selected sound bounces through the steps, you could make it go up and down in pitch, or grow louder or get softer. For the synth with the capacity of creating only 1 sound at a time, it’s an expressive and dynamic palette.

“I don’t call it a drum machine,” says Moog musical senior equipment engineer Steve Dunnington, the DFAM’s lead designer. “it generally does not actually say ‘drum’ anywhere about it.” Dunnington began sketching out ideas the DFAM at the conclusion of 2016, then had several prototypes before bringing the DIY version to Moogfest in-may 2017. Afterwards hobby-style kit went over well with seminar attendees, Dunnington and his team start creating a version of the DFAM for the customer market. Now, you can buy one for $599.

Towards funny title. If you are a Moog fan, you then find out about the Mother 32. It is a semi-modular synth similar in function toward Drummer From Another Mother, and the two machines are the same form and size—hence the motherly love within the naming. They could be connected together via their matching cable area bays so that they sync up and run at the exact same tempo. A typical usage instance is to write a bass line regarding mom, then sync up a DFAM (or three) to perform your robotic rhythm part. The DFAM also has inputs, in order to plug an additional tool, synth, or sampler and use that to trigger your drum sounds. There are always a ton of options, no right or incorrect solution to utilize them.

“I don’t always think about these exact things as being dogmatic,” Dunnington claims. “you need to explore.”

Astronomers Trace Fast Radio Burst to Extreme Cosmic Neighborhood

On Christmas Eve 2016, Andrew Seymour, an astronomer at the Arecibo Observatory in Puerto Rico, kissed his 4-year-old daughter, Cora Lee, goodnight, telling her he was off to track Santa. He walked to the well-worn telescope, occasionally passing revelers riding horses through the empty streets—a common sight in Arecibo during the holidays. Sometimes a lonely firework would light up in the distance. Close to midnight, he nodded to a guard and entered the nearly empty complex.

Quanta Magazine

author photo


Original story reprinted with permission from Quanta Magazine, an editorially independent publication of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences.

The radio dish was on a break from its regular schedule, so Seymour decided to test out new hardware that he and his colleagues had been working on. Soon after he began recording his observations, an extremely powerful radio source, 3 billion light-years away, decided to say hello. Seymour didn’t find Santa that Christmas, but rather an unexpected twist in the tale of one of the most mysterious objects in the cosmos.

The object that Seymour caught that night was the only known repeating fast radio burst (FRB), an ultra-brief flash of energy that flickers on and off at uneven intervals. Astronomers had been debating what might be causing mysterious repeater, officially called FRB 121102 and unofficially the “Spitler burst,” after the astronomer who discovered it.

In the weeks following that Christmas detection, Arecibo registered 15 more bursts from this one source. These flashes were the highest frequency FRBs ever captured at the time, a measurement made possible by the hardware Seymour and his team had just installed. Based on the new information, the scientists have concluded in a study released this week in the journal Nature that whatever object is creating the bursts, it must be in a very odd and extreme cosmic neighborhood, something akin to the environment surrounding a black hole with a mass of more than 10,000 suns.

The new work helps to strengthen the theory that at least some FRBs might be produced by magnetars—highly magnetized, rotating neutron stars, which are the extremely dense remains of massive stars that have gone supernova, said Shami Chatterjee, an astrophysicist at Cornell University. In the case of the repeater, it could be a neutron star “that lives in the environment of a massive black hole,” he said. Or it might also be like nothing we’ve seen before—a different kind of magnetar ensconced in a very intense, magnetically dense birth nebula, unlike any known to exist in our galaxy—“quite extraordinary circumstances,” he said.

Too Extreme to Find

It wasn’t obvious at first that the repeating burst had to live in such an extreme environment. In October, 10 months after Seymour detected that initial burst at Arecibo, Jason Hessels, an astronomer at the University of Amsterdam, and his student Daniele Michilli were staring at the data on Michilli’s laptop screen. They had been trying to determine whether a magnetic field near the source might have twisted its radio waves, an effect known as Faraday rotation. There appeared to be nothing to see.

But then Hessels had an idea: “I wondered whether maybe we had missed this effect simply because it was very extreme.” They had been looking for just a little bit of a twist. What if they were to search for something exceptional? He asked Michilli to crank up the search parameters, “to try crazy numbers,” as Michilli put it. The student expanded the search by a factor of five—a rather “naive thing to do,” Chatterjee said, because such a high value would be completely unprecedented.

When Michilli’s laptop displayed the new data plot, Hessels immediately realized that the radio waves had gone through a hugely powerful magnetic field. “I was shocked to see how extreme the Faraday rotation effect is in this case,” he said. It was like nothing else ever seen in pulsars and magnetars. “I’m also embarrassed because we were sitting on the critical data for months” before attempting such an analysis, he added.

Jason Hessels led the team that identified the Faraday rotation coming from the burst.

Courtesy of Jason Hessels

The discovery sent ripples across the community. “I was shocked by the email announcing the result,” said Vicky Kaspi, an astrophysicist at McGill University. “I had to read it multiple times.”

Final confirmation came from a team searching for aliens. The Breakthrough Listen initiative ordinarily uses radio telescopes such as the Green Bank Telescope in West Virginia to scan the skies for signs of extraterrestrial life. Yet “since it’s not obvious in which direction they should point the telescope to search for E.T., they decided to spend some time looking at the repeating FRB, which clearly paid off,” said the astronomer Laura Spitler, namesake of the Spitler burst.

The Green Bank Telescope not only confirmed the Arecibo findings, it also observed several additional bursts from the repeater at even higher frequencies. These bursts also showed the same mad, highly twisted Faraday rotation.

What Powers Them

The extreme Faraday rotation is a signal that “the repeating FRB is in a very special, extreme environment,” Kaspi said. It takes a lot of energy to produce and maintain such highly magnetized conditions. In one hypothesis outlined by the researchers, the energy comes from a nebula around the neutron star itself. In another, it comes from a massive black hole.

In the nebula hypothesis, flares from a newly born neutron star create a nebula of hot electrons and strong magnetic fields. These magnetic fields twist the radio waves coming out of the neutron star. In the black hole model, a neutron star has its radio waves twisted by the enormous magnetic field generated by a nearby massive black hole.

Researchers haven’t come to an agreement about what’s going on here. Kaspi leans toward the black hole model, but Brian Metzger, an astrophysicist at Columbia University, feels that it’s somewhat contrived. “In our galaxy, only one out of dozens of magnetars resides so close to the central black hole. What makes such black hole-hugging magnetars so special that they would preferentially produce fast radio bursts? Did we just get really lucky with the first well-localized FRB?”

And the debate may get muddier before it gets cleared up. Chatterjee said theorists are certain to soon jump on the paper and start producing a multitude of new models and possibilities.

Burst Machines

The Spitler repeater is still the only FRB source that has been nailed down to a particular galaxy. No one knows quite where the other bursts are coming from. To say with any certainty that some—or all—of these energetic radio flashes come from highly magnetized environments, researchers need more data. And data are coming in. The Australian Square Kilometer Array Pathfinder (ASKAP), which is not yet officially complete, has already netted more FRBs than any other telescope in the world. With a tally of about 10 FRBs last year alone, it has proven to be “a remarkable FRB-finding machine,” said Matthew Bailes, an astrophysicist at Swinburne University of Technology—although none of them repeat.

Soon another telescope with a highly unusual design, called CHIME, will come online in Canada, and should spot many more FRBs—maybe 10 times more than ASKAP. Other next-generation telescopes, like the Square Kilometer Array (SKA), with dishes in South Africa and Australia, will surely contribute as well. As we register more of these flashes, chances are that some of them will repeat. Once scientists can sift through such data, the Faraday rotation effect may help them understand whether all FRBs are powered by a similar mechanism—or not.

Original story reprinted with permission from Quanta Magazine, an editorially independent publication of the Simons Foundation whose mission is to enhance public understanding of science by covering research developments and trends in mathematics and the physical and life sciences.