How Much To Infect Android Phones Via Google Play Store? How About $20K

If you want to sneak malware onto people’s Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. The Register reports: This comes after the Russian infosec outfit studied nine dark-web markets between 2019 and 2023, and found a slew of code and services for sale to infect and hijack the phones and tablets of Google Play users. Before cybercriminals can share their malicious apps from Google’s official store, they’ll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each. Once someone’s bought one of these accounts, they’ll be encouraged use something called a loader.

Uploading straight-up spyware to the Play store for people to download and install may attract Google’s attention, and cause the app and developer account to be thrown out. A loader will attempt to avoid that: it’s software a criminal can hide in their otherwise innocent legit-looking app, installed from the official store, and at some convenient point, the loader will fetch and apply an update for the app that contains malicious code that does stuff like steal data or commit fraud. That update may ask for extra permissions to access the victim’s files, and may need to be pulled from an unofficial store with the victim’s blessing; it depends on the set up. The app may refuse to work as normal until the loader is allowed to do its thing, convincing marks into opening up their devices to crooks. These tools are more pricey, ranging from $2,000 to $20,000, depending on the complexity and capabilities required.

Would-be crims who don’t want to pay thousands for a loader can pay substantially less — between $50 and $100 — for a binding service, which hides a malicious APK file in a legitimate application. However, these have lower successful install rates compared to loaders, so even in the criminal underground you get what you pay for. Some other illicit services offered for sale on these forums include virtual private servers ($300), which allow attackers to redirect traffic or control infected devices, and web injectors ($25 to $80) that look out for victims’ visiting selected websites on their infected devices and replacing those pages with malicious ones that steal login info or similar. Criminals can pay for obfuscation of their malware, and they may even get a better price if they buy a package deal. “One of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30,” Team Kaspersky says. Additionally, to increase the number of downloads to a malicious app, thus making it more attractive to other mobile users, attackers can buy installs for 10 cents to $1 apiece. Kaspersky’s report can be found here.

Read more of this story at Slashdot.

The Biggest EV Battery Recycling Plant In the US Is Open For Business

Ascend Elements opened a recycling plant in Covington, Georgia in late March that it says is the largest electric-vehicle battery recycling facility in North America. “It can process 30,000 metric tons of input each year, breaking down old batteries and prepping the most valuable materials inside to be processed and turned into new batteries,” reports Canary Media. “That capacity equates to breaking down the battery packs from 70,000 electric vehicles annually, said Ascend CEO Mike O’Kronley.” From the report: Recycling can deliver new battery materials without the expense and environmental impact of new mining. It is extremely hard to develop new mines in the U.S., but the federal government is lavishing funds on new battery recycling plants. The revamped EV tax credits also call for increasing shares of domestically sourced batteries and battery materials. Those market and policy shifts made recycling sufficiently desirable that Ascend is paying other companies for their old batteries. At the moment, those deals are mostly with EV or battery makers that have high volumes to get rid of.

“Paying for these spent batteries keeps them from going into the landfill,” O’Kronley told Canary Media. “It’s better to get paid for it rather than throw them away.” Ascend also accepts used consumer electronics from battery-collection programs, such as Call2Recycle. That’s not to say there are enough old batteries coming in to fill the factory. Currently, 80 to 90 percent of what’s going into Ascend’s Covington facility is scrap materials from battery factories, including SK Battery America’s plant in Commerce, Georgia.

That relationship influenced Ascend’s choice of location: Covington sits in the emerging “Battery Belt,” a swath of new battery factories and electric-vehicle plants opening up across the Midwest and the Carolinas, Georgia, Tennessee and Kentucky (look for all the blue icons in this White House map of new industrial investments). Fellow battery-recycling startup Redwood Materials also chose South Carolina for a forthcoming $3.5 billion recycling facility. “There will need to be a recycling plant within about an hour’s drive of every single one of those [new battery gigafactories],” O’Kronley said. “You don’t want to be [long-distance] shipping these very large, heavy EV batteries that are classified as Class 9 hazardous materials.” The report notes that the company’s second commercial-scale facility in Hopkinsville, Kentucky will “introduce a brand-new technique for efficiently extracting cathode materials from black mass, which Ascend has dubbed ‘hydro to cathode.'”

Read more of this story at Slashdot.

FTC Orders Supplement Maker To Pay $600K In First Case Involving Hijacked Amazon Reviews

The U.S. Federal Trade Commission has approved a final consent order in its first-ever enforcement action over a case involving “review hijacking,” or when a marketer steals consumer reviews of another product to boost the sales of its own. TechCrunch reports: In this case, the FTC has ordered supplements retailer The Bountiful Company, the maker of Nature’s Bounty vitamins and other brands, to pay $600,000 for deceiving customers on Amazon where it used a feature to merge the reviews of different products to make some appear to have better ratings and reviews than they otherwise would have had if marketed under their own listings. The case exposes how sellers have been exploiting an Amazon feature that allows sellers to request the creation of “variation” relationships between different products and SKUs. The feature is meant to help marketers and consumers alike as it creates a single detail page on Amazon.com that shows similar products that are different only in narrow, specific ways, the FTC explains — like items that come in a different color, size, quantity or flavor. For instance, a t-shirt may have a dozen SKUs associated with one another because the shirt comes in a wide variety of colors.

For shoppers, it’s helpful to see all the options on one page so you can pick the item that best matches your needs and budget. In the case of supplements, the feature could be used to combine the same products by merging various SKUs featuring different quantities of the item in question, like bottles with 50, 100 or 200 pills, for example. However, The Bountiful Company exploited Amazon’s feature to merge its newer products with older, well-established products which had different formulations, the FTC said. The FTC cited and screenshotted more than a dozen examples from 2020 and 2021 in its original complaint (PDF) against the vitamin and supplement maker, which in 2021 sold its core brands — including Nature’s Bounty and Sundown — to Nestle. As a result of these product merges, consumers who happened across any of the newer products would believe them to be better received than they were in reality, as they were benefiting from the merged ratings and reviews of other, differentiated items.

“Boosting your products by hijacking another product’s ratings or reviews is a relatively new tactic, but is still plain old false advertising,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said this February when the consent order was first announced ahead of its public comment period and finalized version. With today’s decision, Bountiful will have to pay the Commission $600,000 as monetary relief for consumers. It’s also prohibited from making similar types of misrepresentations and barred from using “deceptive review tactics that distort what consumers think about its products or services,” the FTC said in a unanimous 4-0 decision.

Read more of this story at Slashdot.

After Low-Speed Bus Crash, Cruise Recalled Software for Its Self-Driving Taxis in March

San Francisco autonomous vehicle company Cruise recalled and updated the software of its fleet of 300 cars, reports the San Francisco Chronicle, ” after a Cruise taxi rear-ended a local bus “when the car’s software got confused by the articulated vehicle, according to a federal safety report and the company.”
The voluntary report notes that Cruise updated its software on March 25th.

Since last month’s low-speed crash, which resulted in no injuries, Cruise CEO Kyle Vogt said the company chose to conduct a voluntary recall, and the software update assured such a rare incident “would not recur….” As for the March bus collision, Vogt said the software fix was uploaded to Cruise’s entire fleet of 300 cars within two days. He said the company’s probe found the crash scenario “exceptionally rare” with no other similar collisions.

“Although we determined that the issue was rare, we felt the performance of this version of software in this situation was not good enough,” Vogt wrote in a blog post. “We took the proactive step of notifying NHTSA that we would be filing a voluntary recall of previous versions of our software that were impacted by the issue.” The CEO said such voluntary recalls will probably become “commonplace.”

“We believe this is one of the great benefits of autonomous vehicles compared to human drivers; our entire fleet of AVs is able to rapidly improve, and we are able to carefully monitor that progress over time,” he said.

The Cruise car was traveling about 10 miles per hour, and the collision caused only minor damage to its front fender, Vogt’s blog post explained. San Francisco’s buses have front and back coaches connected by articulated rubber, and when the Cruise taxi lost sight of the front half, it made the assumption that it was still moving (rather than recognizing that the back coach had stopped). Or, as Cruise told the National Highway Traffic Safety Administration, their vehicle “”inaccurately predicted the movement” of the bus.

It was not the first San Francisco incident involving Cruise since June, when it became the first company in a major city to win the right to taxi passengers in driverless vehicles — in this case Chevrolet Bolts. The city’s Municipal Transportation Agency and County Transportation Authority recorded at least 92 incidents from May to December 2022 in which autonomous ride-hailing vehicles caused problems on city streets, disrupting traffic, Muni transit and emergency responders, according to letters sent to the California Public Utilities Commission….

Just two days before the Cruise crash in March, the company had more problems with Muni during one of San Francisco’s intense spring storms. A falling tree brought down a Muni line near Clay and Jones streets on March 21, and a witness reported on social media that two Cruise cars drove through caution tape into the downed wire. A company representative said neither car had passengers and teams were immediately dispatched to remove the vehicles.

On Jan. 22, a driverless Cruise car entered an active firefighting scene and nearly ran over hoses. Fire crews broke a car window to try to stop it.

Read more of this story at Slashdot.

Rust Foundation Solicits Feedback on Updated Policy for Trademarks

“Rust” and “Cargo” are registered trademarks held by the Rust Foundation — the independent non-profit supporting Rust’s maintainers. In August 1,000 people responded to the foundation’s Trademark Policy Review Survey, after which the foundation invited any interested individuals to join their Trademark Policy Working Group (which also included Rust Project leaders). They’ve now created a draft of an updated policy for feedback…

Crate, RS, “Rustacean,” and the logo of Ferris the crab are all available for use by anyone consistent with their definition, with no special permission required. Here’s how the document’s quick reference describes other common use-cases:
Selling Goods — Unless explicitly approved, use of the Rust name or Logo is not allowed for the purposes of selling products/promotional goods for gain/profit, or for registering domain names. For example, it is not permitted to sell stickers of the Rust logo in an online shop for your personal profit.
Showing Support of Rust — When showing your support of the Rust Project on a personal site or blog, you may use the Rust name or Logo, as long as you abide by all the requirements listed in the Policy. You may use the Rust name or Logo in social media handles, avatars, and emojis to demonstrate Rust Project support in a manner that is decorative, so long as you don’t suggest commercial Rust affiliation.
Inclusion of the Marks in Educational Materials — You may use the Rust name in book and article titles and the Logo in graphic components, so long as you make it clear that the Rust Project or Foundation has not reviewed/approved/endorsed your content.
There’s also a FAQ, answering questions like “Can I use the Rust logo as my Twitter Avatar?” The updated policy draft says “We consider social media avatars on personal accounts to be fair use. On the other hand, using Rust trademarks in corporate social media bios/profile pictures is prohibited…. In general, we prohibit the modification of the Rust logo for any purpose, except to scale it. This includes distortion, transparency, color-changes affiliated with for-profit brands or political ideologies. On the other hand, if you would like to change the colors of the Rust logo to communicate allegiance with a community movement, we simply ask that you run the proposed logo change by us…”

And for swag at events using the Rust logo, “Merch developed for freebies/giveaways is normally fine, however you need approval to use the Rust Word and/or Logo to run a for-profit event. You are free to use Ferris the crab without permission… If your event is for-profit, you will need approval to use the Rust name or Logo. If you are simply covering costs and the event is non-profit, you may use the Rust name or Logo as long as it is clear that the event is not endorsed by the Rust Foundation. You are free to use Ferris the crab without permission.”

Read more of this story at Slashdot.

Fully Recyclable Printed Electronics Produced Using Water Instead of Toxic Chemicals

Duke University announces their engineers “have produced the world’s first fully recyclable printed electronics that replace the use of chemicals with water in the fabrication process” — bypassing the need for hazardous chemicals.
Electrical/computer engineering professor Aaron Franklin led the study, according to Duke’s announcement:

In previous work, Franklin and his group demonstrated the first fully recyclable printed electronics. The devices used three carbon-based inks: semiconducting carbon nanotubes, conductive graphene and insulating nanocellulose. In trying to adapt the original process to only use water, the carbon nanotubes presented the largest challenge…. In the paper, Franklin and his group develop a cyclical process in which the device is rinsed with water, dried in relatively low heat and printed on again. When the amount of surfactant used in the ink is also tuned down, the researchers show that their inks and processes can create fully functional, fully recyclable, fully water-based transistors….

Franklin explains that, by demonstrating a transistor first, he hopes to signal to the rest of the field that there is a viable path toward making some electronics manufacturing processes much more environmentally friendly. Franklin has already proven that nearly 100% of the carbon nanotubes and graphene used in printing can be recovered and reused in the same process, losing very little of the substances or their performance viability. Because nanocellulose is made from wood, it can simply be recycled or biodegraded like paper. And while the process does use a lot of water, it’s not nearly as much as what is required to deal with the toxic chemicals used in traditional fabrication methods.

According to a United Nations estimate, less than a quarter of the millions of pounds of electronics thrown away each year is recycled. And the problem is only going to get worse as the world eventually upgrades to 6G devices and the Internet of Things (IoT) continues to expand. So any dent that could be made in this growing mountain of electronic trash is important to pursue. While more work needs to be done, Franklin says the approach could be used in the manufacturing of other electronic components like the screens and displays that are now ubiquitous to society. Every electronic display has a backplane of thin-film transistors similar to what is demonstrated in the paper. The current fabrication technology is high-energy and relies on hazardous chemicals as well as toxic gasses. The entire industry has been flagged for immediate attention by the US Environmental Protection Agency.

“The performance of our thin-film transistors doesn’t match the best currently being manufactured, but they’re competitive enough to show the research community that we should all be doing more work to make these processes more environmentally friendly,” Franklin said.

Read more of this story at Slashdot.

Walmart US CEO Says Automation At Stores Won’t Displace Workers

An anonymous reader quotes a report from Insider: Walmart will be increasingly relying on automation at its stores in the coming years — but that won’t diminish the country’s largest private employer’s workforce, company leaders said during an investor event this week. The Bentonville, Arkansas-based retail giant recently made headlines when it announced that 65% of its stores will be “serviced by automation” by the end of fiscal year 2026. Walmart currently has more than 4,700 stores throughout the US and employs roughly 1.6 million people nationwide.

More specifically, one area where Walmart is seeking to increase investment is in market fulfillment centers (MFCs), which are automated fulfillment centers built within, or added to, a store. Walmart piloted this concept at a store in Salem, New Jersey, in 2019, using automated robot technology from Alert Innovation — a robotics company Walmart acquired in October 2022. Since then, Walmart has built MFCs at several stores, such as in Jacksonville, Florida, and Dallas, Texas. Those include “manual MFCs,” where associates pick items for online orders but in a separate area from the sales floor.

Walmart will still need at least the same level of workers to help in stores even as automation picks up, company leaders say. John Furner, Walmart US president and CEO, told investors this week that automation “helps” employees, as it will result in less manual labor. “Over time, we believe we’ll have the same or more associates and a larger business overall,” Furner said. “There will be new roles emerging that are less manual, better designed to serve customers, and pay more.”

Read more of this story at Slashdot.

Crooks Are Using CAN Injection Attacks To Steal Cars

“Thieves has discovered new ways to steal cars by pulling off smart devices (like smart headlights) to get at and attack via the Controller Area Network (CAN) bus,” writes longtime Slashdot reader KindMind. The Register reports: A Controller Area Network (CAN) bus is present in nearly all modern cars, and is used by microcontrollers and other devices to talk to each other within the vehicle and carry out the work they are supposed to do. In a CAN injection attack, thieves access the network, and introduce bogus messages as if it were from the car’s smart key receiver. These messages effectively cause the security system to unlock the vehicle and disable the engine immobilizer, allowing it to be stolen. To gain this network access, the crooks can, for instance, break open a headlamp and use its connection to the bus to send messages. From that point, they can simply manipulate other devices to steal the vehicle.

“In most cars on the road today, these internal messages aren’t protected: the receivers simply trust them,” [Ken Tindell, CTO of Canis Automotive Labs] detailed in a technical write-up this week. The discovery followed an investigation by Ian Tabor, a cybersecurity researcher and automotive engineering consultant working for EDAG Engineering Group. It was driven by the theft of Tabor’s RAV4. Leading up to the crime, Tabor noticed the front bumper and arch rim had been pulled off by someone, and the headlight wiring plug removed. The surrounding area was scuffed with screwdriver markings, which, together with the fact the damage was on the kerbside, seemed to rule out damage caused by a passing vehicle. More vandalism was later done to the car: gashes in the paint work, molding clips removed, and malfunctioning headlamps. A few days later, the Toyota was stolen.

Refusing to take the pilfering lying down, Tabor used his experience to try to figure out how the thieves had done the job. The MyT app from Toyota — which among other things allows you to inspect the data logs of your vehicle — helped out. It provided evidence that Electronic Control Units (ECUs) in the RAV4 had detected malfunctions, logged as Diagnostic Trouble Codes (DTCs), before the theft. According to Tindell, “Ian’s car dropped a lot of DTCs.” Various systems had seemingly failed or suffered faults, including the front cameras and the hybrid engine control system. With some further analysis it became clear the ECUs probably hadn’t failed, but communication between them had been lost or disrupted. The common factor was the CAN bus.

Read more of this story at Slashdot.

Walmart Plans Own EV Charger Network At US Stores By 2030

Walmart plans to have its own network of electric vehicle charging stations by 2030 to tap into the growing adoption of EVs in the United States. Reuters reports: The new fast-charging stations will be placed at thousands of Walmart and Sam’s Club stores, alongside nearly 1,300 it already offers as part of a deal with Volkswagen unit Electrify America, one of the country’s largest open public EV networks. Walmart’s more than 5,000 stores and Sam’s Club warehouses are located within 10 miles of about 90% of Americans.

“We have the ability to address range and charging anxiety in a way that no one else can in this country,” Vishal Kapadia, Walmart’s recently appointed senior vice president of Energy Transformation, said in an interview. Owning its chargers, instead of partnering with a network operator, will help Walmart address reliability and cost issues, Kapadia said. Kapadia said he expects the new charge points to be direct-current fast chargers, with about four chargers on average installed per store.

Read more of this story at Slashdot.

Researchers Built Sonar Glasses That Track Facial Movements For Silent Communication

A Cornell University researcher has developed sonar glasses that “hear” you without speaking. Engadget reports: The eyeglass attachment uses tiny microphones and speakers to read the words you mouth as you silently command it to pause or skip a music track, enter a passcode without touching your phone or work on CAD models without a keyboard. Cornell Ph.D. student Ruidong Zhang developed the system, which builds off a similar project the team created using a wireless earbud — and models before that which relied on cameras. The glasses form factor removes the need to face a camera or put something in your ear. “Most technology in silent-speech recognition is limited to a select set of predetermined commands and requires the user to face or wear a camera, which is neither practical nor feasible,” said Cheng Zhang, Cornell assistant professor of information science. “We’re moving sonar onto the body.”

The researchers say the system only requires a few minutes of training data (for example, reading a series of numbers) to learn a user’s speech patterns. Then, once it’s ready to work, it sends and receives sound waves across your face, sensing mouth movements while using a deep learning algorithm to analyze echo profiles in real time “with about 95 percent accuracy.” The system does this while offloading data processing (wirelessly) to your smartphone, allowing the accessory to remain small and unobtrusive. The current version offers around 10 hours of battery life for acoustic sensing. Additionally, no data leaves your phone, eliminating privacy concerns. “We’re very excited about this system because it really pushes the field forward on performance and privacy,” said Cheng Zhang. “It’s small, low-power and privacy-sensitive, which are all important features for deploying new, wearable technologies in the real world.” “The team at Cornell’s Smart Computer Interfaces for Future Interactions (SciFi) Lab is exploring commercializing the tech using a Cornell funding program,” adds Engadget. “They’re also looking into smart-glasses applications to track facial, eye and upper body movements.”

A video of the eyeglasses can be viewed here.

Read more of this story at Slashdot.