MacRumors reports that Apple has effectively paused work on Vision Pro after the M5 refresh failed to revive demand. The team has reportedly been reassigned and the company is now shifting focus toward smart glasses instead. From the report: The Vision Pro has been criticized for its high price tag and its uncomfortable weight. The device is over 1.3 pounds, and even with the more comfortable Dual Knit Band that Apple added to redistribute weight, it continues to be hard to wear for long periods of time. The M5 chip added a 120Hz refresh rate, 10 percent more rendered pixels, and around 30 additional minutes of battery life, but the price tag stayed at $3,499, and it ended up not selling well. The Vision Pro has been unpopular since it first launched, and Apple only sold around 600,000 units in total. Insider sources told MacRumors that Apple has received an unusually high percentage of returns, far exceeding any other modern Apple product.

[...] If Apple finds a way to create a much cheaper, more comfortable VR headset in the future, the Vision Pro line could be revived, but right now, the company has no plans to launch a new model. Apple has not discontinued the Vision Pro and is continuing to sell the M5 model. Instead of continuing to experiment with virtual reality, Apple is working on smart glasses that will eventually incorporate augmented reality capabilities, but the first version will be similar to the Ray-Ban Meta smart glasses with AI and no integrated display.

The FCC has granted (PDF) Netgear the first exemption from its foreign-made router ban, allowing the company to keep selling new consumer router models made outside the U.S. through Oct. 1, 2027. PCMag reports: The Defense Department reviewed Netgear's application for an exemption and found that its products "do not pose risks to US national security." The FCC's order doesn't elaborate on why. Netgear is based in San Jose, California, although its products are made in Asia. The exemption, known as a conditional approval, lasts until Oct. 1, 2027. It covers a large range of future Wi-Fi models from Netgear, spanning the R, RAX, RAXE, RS, MK, MR, M, and MH series, the Orbi consumer mesh, mobile, and standalone routers under the RBK, RBE, RBR, RBRE, LBR, LBK, and CBK series, as well as cable gateways and cable modems under the CAX and CM series.

The exemption isn't a full green light for the future product models from Netgear. The FCC says the company still needs to go through the normal Commission-regulated equipment authorization process for each device. The Oct. 1, 2027 date effectively amounts to a deadline for Netgear to receive FCC certification for the router models; each certification is also permanent, enabling the product to be sold in the US on an ongoing basis. This also suggests that Netgear has an 18-month period to receive FCC certifications for future products.

A software engineer tried steering his robot vacuum with a videogame controller, reports Popular Science — but ended up with "a sneak peak into thousands of people's homes." While building his own remote-control app, Sammy Azdoufal reportedly used an AI coding assistant to help reverse-engineer how the robot communicated with DJI's remote cloud servers. But he soon discovered that the same credentials that allowed him to see and control his own device also provided access to live camera feeds, microphone audio, maps, and status data from nearly 7,000 other vacuums across 24 countries.

The backend security bug effectively exposed an army of internet-connected robots that, in the wrong hands, could have turned into surveillance tools, all without their owners ever knowing. Luckily, Azdoufal chose not to exploit that. Instead, he shared his findings with The Verge, which quickly contacted DJI to report the flaw... He also claims he could compile 2D floor plans of the homes the robots were operating in. A quick look at the robots' IP addresses also revealed their approximate locations.
DJI told Popular Science the issue was addressed "through two updates, with an initial patch deployed on February 8 and a follow-up update completed on February 10."

Signal Foundation president Meredith Whittaker warned that AI agents that autonomously carry out tasks pose a threat to encrypted messaging apps [non-paywalled source] because they require broad access to data stored across a device and can be hijacked if given root permissions.

Speaking at Davos on Tuesday, Whittaker said the deeper integration of AI agents into devices is "pretty perilous" for services like Signal. For an AI agent to act effectively on behalf of a user, it would need unilateral access to apps storing sensitive information such as credit card data and contacts, Whittaker said. The data that the agent stores in its context window is at greater risk of being compromised.

Whittaker called this "breaking the blood-brain barrier between the application and the operating system." "Our encryption no longer matters if all you have to do is hijack this context window," she said.

The growing enthusiasm among Gen Z for ditching smartphones in favor of basic "dumbphones" may be overlooking a significant cognitive reality, according to a WIRED essay that draws on the 1998 "extended mind hypothesis" by philosophers Andy Clark and David Chalmers. The hypothesis argues that external tools can extend the biological brain in an all but physical way, meaning your phone isn't just a device -- it's part of a single cognitive system composed of both the tool and your brain.

"Interference with my phone is like giving me some brain damage," Clark told Wired. He expressed concern about the dumbphone movement, calling it "generally a retrograde step" and warning that as smartphone enmeshment becomes the societal norm, those who opt out risk becoming "effectively disabled within that society." Clark described this as "the creation of a disempowered class."

98% of Americans between 18 and 29 own a smartphone, dropping only to 97% for those aged 30 to 49. Even committed dumbphone users struggle. One user profiled in the piece still carries an "emergency iPhone" for work requirements and admits long-distance friendships have become "nearly impossible to maintain."

China's Commerce Ministry on Wednesday demanded that the Netherlands "immediately correct its mistakes" over chipmaker Nexperia, escalating a standoff that has disrupted global semiconductor supply chains and triggered warnings from automakers about component shortages. The Dutch government in September invoked a Cold War-era law to effectively seize control of the Chinese-owned chipmaker, reportedly after the United States raised security concerns. China responded by blocking Nexperia products from leaving the country.

Nexperia manufactures billions of foundation chips -- transistors, diodes and power management components -- that are produced in Europe, assembled and tested in China, and then re-exported to customers worldwide. These low-tech, inexpensive chips are essential in almost every device that uses electricity, from car braking systems and airbag controllers to electric windows and entertainment systems.

The Commerce Ministry spokesperson said the Netherlands "remains indifferent and stubbornly insists on its own way, showing absolutely no responsible attitude towards the security of the global semiconductor supply chain." Dutch Economy Minister Vincent Karremans has repeatedly defended the intervention. Auto industry groups have warned that disruptions have not been fundamentally resolved. Japan's Nissan and German supplier Bosch have flagged looming shortages, and the German Association of the Automotive Industry warned of elevated supply risks "particularly for the first quarter" of 2026.

A reporter at Mother Jones writes about a $169 alarm clock with special lighting and audio effects. But to use the features, "you need to pay an additional $4.99 per month, in perpetuity."

"Welcome to the age of subscription captivity, where an increasing share of the things you pay for actually own you." What vexes me are the companies that sell physical products for a hefty, upfront fee and subsequently demand more money to keep using items already in your possession. This encompasses those glorified alarm clocks, but also: computer printers, wearable wellness devices, and some features on pricey new cars.

Subscription-based business models are great for businesses because they amount to consistent revenue streams. They're often bad for consumers for the same reason: You have to pay companies, consistently. We're effectively being $5 per month-ed (or more) to death, and it's only going to get worse. Industry research suggests the average customer spent $219 per month on subscriptions in 2023. In 2024, the global subscription market was an estimated $492 billion. By 2033, that figure is expected to triple.

Companies would argue these models benefit consumers, not just their bottom lines. For example, HP's Instant Ink program suggests you will never again find your device out of ink when you need it most. The printer apparently knows when it's running low, spurring automatic deliveries of ink to your home for $7.99 per month if you select the company-recommended plan. But if you cancel the subscription, the printer will literally hold hostage the half-full cartridges already sitting in your printer. The ransom to use it? Re-enroll... The company has added firmware to its technology that deliberately blocks cheaper, off-brand cartridges from working at all...

"There's even a subscription service that enables you to track and cancel your piling subscriptions — for just $6 to $12 per month."

Meta has paused its third-party Horizon OS headset program, effectively canceling planned VR headsets from Asus and Lenovo as it refocuses on "building the world-class first-party hardware and software needed to advance the VR market." Road to VR reports: A little over a year and a half ago, Meta made an "industry-altering announcement," as I called the move in my reporting: the company was rebranding the Quest operating system to 'Horizon OS' and announced it was working with select partners to launch third-party VR headsets powered by the operating system. Meta specifically named Asus and Lenovo as the first partners it was working with to build new Horizon OS headsets. Asus was said to be building an "all-new performance gaming headset," while Lenovo was purportedly working on "mixed reality devices for productivity, learning, and entertainment."

But as we've now learned, neither headset is likely to see the light of day. Meta say it has frozen the third-party Horizon OS headset program. "We have paused the program to focus on building the world-class first-party hardware and software needed to advance the VR market," a Meta spokesperson told Road to VR. "We're committed to this for the long term and will revisit opportunities for 3rd-party device partnerships as the category evolves."

An anonymous reader quotes a report from the New York Times: A few years ago, Paul Wieland, a 44-year-old information technology professional living in New York's Adirondack Mountains, was wrapping up a home renovation when he ran into a hiccup. He wanted to be able to control his new garage door with his smartphone. But the options available, including a product called MyQ, required connecting to a company's internet servers. He believed a "smart" garage door should operate only over a local Wi-Fi network to protect a home's privacy, so he started building his own system to plug into his garage door. By 2022, he had developed a prototype, which he named RATGDO, for Rage Against the Garage Door Opener. He had hoped to sell 100 of his new gadgets just to recoup expenses, but he ended up selling tens of thousands. That's because MyQ's maker did what a number of other consumer device manufacturers have done over the last few years, much to the frustration of their customers: It changed the device, making it both less useful and more expensive to operate.

Chamberlain Group, a company that makes garage door openers, had created the MyQ hubs so that virtually any garage door opener could be controlled with home automation software from Apple, Google, Nest and others. Chamberlain also offered a free MyQ smartphone app. Two years ago, Chamberlain started shutting down support for most third-party access to its MyQ servers. The company said it was trying to improve the reliability of its products. But this effectively broke connections that people had set up to work with Apple's Home app or Google's Home app, among others. Chamberlain also started working with partners that charge subscriptions for their services, though a basic app to control garage doors was still free.

While Mr. Wieland said RATGDO sales spiked after Chamberlain made those changes, he believes the popularity of his device is about more than just opening and closing a garage. It stems from widespread frustration with companies that sell internet-connected hardware that they eventually change or use to nickel-and-dime customers with subscription fees. "You should own the hardware, and there is a line there that a lot of companies are experimenting with," Mr. Wieland said in a recent interview. "I'm really afraid for the future that consumers are going to swallow this and that's going to become the norm." [...] For Mr. Wieland, the fight isn't over. He started a company named RATCLOUD, for Rage Against the Cloud. He said he was developing similar products that were not yet for sale.

Last week, following a recent U.S. Customs ruling, Apple reintroduced blood oxygen monitoring to certain Apple Watch models in the U.S., sidestepping an ITC import ban stemming from its legal dispute with medical device maker Masimo. Today, Masimo fired back with a new lawsuit against the U.S. Customs and Border Protection. 9to5Mac reports: The company says US Customs and Border Protection (CBP) overstepped its authority and violated due process when it reversed its earlier decision on August 1 and allowed Apple to restore the feature. Moreover, Masimo says it found out about the decision when Apple publicly announced the return of the feature: "It has now come to light that CBP thereafter reversed itself without any meaningful justification, without any material change in circumstances, and without any notice to Masimo, let alone an opportunity for Masimo to be heard. CBP changed its position on Apple's watch-plus-iPhone redesign through an ex parte proceeding. Specifically, on August 1, 2025, CBP issued an 3 ex parte ruling permitting Apple to import devices that, when used with iPhones already in the United States, perform the same functionality that the ITC found to infringe Masimo's patents. Masimo only discovered this ruling on Thursday, August 14, 2025, when Apple publicly announced it would be reintroducing the pulse oximetry functionality through a software update."

The company is now asking the court for a temporary restraining order and preliminary injunction to block the CBP's decision, and reinstate the original ruling that "determined that Apple's redesigned watches could be imported only to the extent the infringing functionality was completely disabled." As reported by Bloomberg Law, Masimo says the following in its supporting brief: "Each passing day that this unlawful ruling remains in effect irreparably deprives Masimo of its right to be free from unfair trade practices and to preserve its competitive standing in the U.S. marketplace." Masimo further argues that CBP's move "effectively nullified" the ITC's exclusion order against Apple. Apple's appeal of that ban is still pending before the Federal Circuit.

A recent Echelon firmware update has effectively bricked offline functionality for its smart gym equipment, cutting off compatibility with popular third-party apps like QZ and forcing users to connect to Echelon's servers -- even just to view workout stats. Ars Technica reports: As explained in a Tuesday blog post by Roberto Viola, who develops the "QZ (qdomyos-zwift)" app that connects Echelon machines to third-party fitness platforms, like Peloton, Strava, and Apple HealthKit, the firmware update forces Echelon machines to connect to Echelon's servers in order to work properly. A user online reported that as a result of updating his machine, it is no longer syncing with apps like QZ, and he is unable to view his machine's exercise metrics in the Echelon app without an Internet connection. Affected Echelon machines reportedly only have full functionality, including the ability to share real-time metrics, if a user has the Echelon app active and if the machine is able to reach Echelon's servers.

Viola wrote: "On startup, the device must log in to Echelon's servers. The server sends back a temporary, rotating unlock key. Without this handshake, the device is completely bricked -- no manual workout, no Bluetooth pairing, no nothing." Because updated Echelon machines now require a connection to Echelon servers for some basic functionality, users are unable to use their equipment and understand, for example, how fast they're going without an Internet connection. If Echelon were to ever go out of business, the gym equipment would, essentially, get bricked. Viola told Ars Technica that he first started hearing about problems with QZ, which launched in 2020, at the end of 2024 from treadmill owners. He said a firmware update appears to have rolled out this month on Echelon bikes that bricks QZ functionality. In his blog, Viola urged Echelon to let its machines send encrypted data to another device, like a phone or a tablet, without the Internet. He wrote: "Users bought the bike; they should be allowed to use it with or without Echelon's services."

Earlier this week looters who stole iPhones "got an unexpected message from Apple," reports the Economic Times.

"Please return to Apple Tower Theatre. This device has been disabled and is being tracked. Local authorities will be alerted."

Stolen phones "were remotely locked and triggered alarms, effectively turning the devices into high-tech bait. Videos circulating online show the phones flashing the message while blaring loudly, making them impossible to ignore." According to LAPD Officer Chris Miller, at least three suspects were apprehended in connection to the Apple Store burglary. One woman was arrested on the spot, while two others were detained for looting.

Google has removed device trees and driver binaries for Pixel phones from the Android 16 source code release, significantly complicating custom ROM development for those devices. The Android-maker intentionally omitted these resources as it shifts its Android Open Source Project reference target from Pixel hardware to a virtual device called "Cuttlefish."

The change forces custom ROM developers to reverse-engineer configurations they previously received directly from Google. Nolen Johnson from LineageOS said the process will become "painful," requiring developers to "blindly guess and reverse engineer from the prebuilt binaries what changes are needed each month." Google also squashed the Pixel kernel source code's commit history, eliminating another reference point developers used for features and security patches.

Google VP Seang Chau dismissed speculation that AOSP itself is ending, stating the project "is NOT going away." However, the changes effectively bring Pixel devices down to the same difficult development level as other Android phones.

An anonymous reader quotes a report from BleepingComputer: The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices. "The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," warns the FBI.

These devices come preloaded with the BADBOX 2.0 malware botnet or become infected after installing firmware updates and through malicious Android applications that sneak onto Google Play and third-party app stores. "Cyber criminals gain unauthorized access to home networks by either configuring the product with malicious software prior to the users purchase or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process," explains the FBI. "Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services4 known to be used for malicious activity."

Once infected, the devices connect to the attacker's command and control (C2) servers, where they receive commands to execute on the compromised devices, such as [routing malicious traffic through residential IPs to obscure cybercriminal activity, performing background ad fraud to generate revenue, and launching credential-stuffing attacks using stolen login data]. Over the years, the malware botnet continued expanding until 2024, when Germany's cybersecurity agency disrupted the botnet in the country by sinkholing the communication between infected devices and the attacker's infrastructure, effectively rendering the malware useless. However, that did not stop the threat actors, with researchers saying they found the malware installed on 192,000 devices a week later. Even more concerning, the malware was found on more mainstream brands, like Yandex TVs and Hisense smartphones. Unfortunately, despite the previous disruption, the botnet continued to grow, with HUMAN's Satori Threat Intelligence stating that over 1 million consumer devices had become infected by March 2025. This new larger botnet is now being called BADBOX 2.0 to indicate a new tracking of the malware campaign. "This scheme impacted more than 1 million consumer devices. Devices connected to the BADBOX 2.0 operation included lower-price-point, 'off brand,' uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN.

"The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices. All of these devices are manufactured in mainland China and shipped globally; indeed, HUMAN observed BADBOX 2.0-associated traffic from 222 countries and territories worldwide."

"It appears as though Meta (aka: Facebook's parent company) and Yandex have found a way to sidestep the Android Sandbox," writes Slashdot reader TheWho79. Researchers disclose the novel tracking method in a report: We found that native Android apps -- including Facebook, Instagram, and several Yandex apps including Maps and Browser -- silently listen on fixed local ports for tracking purposes.

These native Android apps receive browsers' metadata, cookies and commands from the Meta Pixel and Yandex Metrica scripts embedded on thousands of web sites. These JavaScripts load on users' mobile browsers and silently connect with native apps running on the same device through localhost sockets. As native apps access programmatically device identifiers like the Android Advertising ID (AAID) or handle user identities as in the case of Meta apps, this method effectively allows these organizations to link mobile browsing sessions and web cookies to user identities, hence de-anonymizing users' visiting sites embedding their scripts.

This web-to-app ID sharing method bypasses typical privacy protections such as clearing cookies, Incognito Mode and Android's permission controls. Worse, it opens the door for potentially malicious apps eavesdropping on users' web activity.

While there are subtle differences in the way Meta and Yandex bridge web and mobile contexts and identifiers, both of them essentially misuse the unvetted access to localhost sockets. The Android OS allows any installed app with the INTERNET permission to open a listening socket on the loopback interface (127.0.0.1). Browsers running on the same device also access this interface without user consent or platform mediation. This allows JavaScript embedded on web pages to communicate with native Android apps and share identifiers and browsing habits, bridging ephemeral web identifiers to long-lived mobile app IDs using standard Web APIs. This technique circumvents privacy protections like Incognito Mode, cookie deletion, and Android's permission model, with Meta Pixel and Yandex Metrica scripts silently communicating with apps across over 6 million websites combined.

Following public disclosure, Meta ceased using this method on June 3, 2025. Browser vendors like Chrome, Brave, Firefox, and DuckDuckGo have implemented or are developing mitigations, but a full resolution may require OS-level changes and stricter enforcement of platform policies to prevent further abuse.

An anonymous reader quotes a report from Wired: Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers' exposure to government surveillance and the likelihood of being caught up in police investigations. A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of "connected cars," with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement's knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies -- not the law -- determine driver privacy.

"Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera," one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. "If the vehicle has an active subscription," they add, "it does create more data." The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data -- revealing its location -- roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead. [...] Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car's systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

Android and Google Play have billions of users, Google wrote in its security blog this week. "However, like any flourishing ecosystem, it also attracts its share of bad actors... That's why every year, we continue to invest in more ways to protect our community." Google's tactics include industry-wide alliances, stronger privacy policies, and "AI-powered threat detection."

"As a result, we prevented 2.36 million policy-violating apps from being published on Google Play and banned more than 158,000 bad developer accounts that attempted to publish harmful apps. " To keep out bad actors, we have always used a combination of human security experts and the latest threat-detection technology. In 2024, we used Google's advanced AI to improve our systems' ability to proactively identify malware, enabling us to detect and block bad apps more effectively. It also helps us streamline review processes for developers with a proven track record of policy compliance. Today, over 92% of our human reviews for harmful apps are AI-assisted, allowing us to take quicker and more accurate action to help prevent harmful apps from becoming available on Google Play. That's enabled us to stop more bad apps than ever from reaching users through the Play Store, protecting users from harmful or malicious apps before they can cause any damage.
Starting in 2024 Google also "required apps to be more transparent about how they handle user information by launching new developer requirements and a new 'Data deletion' option for apps that support user accounts and data collection.... We're also constantly working to improve the safety of apps on Play at scale, such as with the Google Play SDK Index. This tool offers insights and data to help developers make more informed decisions about the safety of an SDK."

And once an app is installed, "Google Play Protect, Android's built-in security protection, helps to shield their Android device by continuously scanning for malicious app behavior." Google Play Protect automatically scans every app on Android devices with Google Play Services, no matter the download source. This built-in protection, enabled by default, provides crucial security against malware and unwanted software. Google Play Protect scans more than 200 billion apps daily and performs real-time scanning at the code-level on novel apps to combat emerging and hidden threats, like polymorphic malware. In 2024, Google Play Protect's real-time scanning identified more than 13 million new malicious apps from outside Google Play [based on Google Play Protect 2024 internal data]...

According to our research, more than 95 percent of app installations from major malware families that exploit sensitive permissions highly correlated to financial fraud came from Internet-sideloading sources like web browsers, messaging apps, or file managers. To help users stay protected when browsing the web, Chrome will now display a reminder notification to re-enable Google Play Protect if it has been turned off... Scammers may manipulate users into disabling Play Protect during calls to download malicious Internet-sideloaded apps. To prevent this, the Play Protect app scanning toggle is now temporarily disabled during phone or video calls...

Google Play Protect's enhanced fraud protection pilot analyzes and automatically blocks the installation of apps that may use sensitive permissions frequently abused for financial fraud when the user attempts to install the app from an Internet-sideloading source (web browsers, messaging apps, or file managers). Building on the success of our initial pilot in partnership with the Cyber Security Agency of Singapore (CSA), additional enhanced fraud protection pilots are now active in nine regions — Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, South Africa, Thailand, and Vietnam.

In 2024, Google Play Protect's enhanced fraud protection pilots have shielded 10 million devices from over 36 million risky installation attempts, encompassing over 200,000 unique apps.

Google is reportedly working on a multi-year project to migrate Chrome OS into Android, aiming to unify its operating systems and better compete with the iPad. This transition involves incorporating Chrome OS features like extensions and Linux app support into Android, with upcoming updates focused on improving desktop functionality and device compatibility. Android Authority reports: To better compete with the iPad as well as manage engineering resources more effectively, Google wants to unify its operating system efforts. Instead of merging Android and Chrome OS into a new operating system like rumors suggested in the past, however, a source told me that Google is instead working on fully migrating Chrome OS over to Android. While we don't know what this means for the Chrome OS or Chromebook brands, we did hear that Google wants future "Chromebooks" to ship with the Android OS in the future. That's why I believe that Google's rumored new Pixel Laptop will run a new version of desktop Android as opposed to the Chrome OS that you're likely familiar with.

While Google hasn't publicly confirmed its intentions to turn Chrome OS into Android, it did mention back in June that Chrome OS would become more like Android by "embracing portions of the Android stack, like the Android Linux kernel and Android frameworks." Chrome OS already makes use of some Android tech, such as the operating system's Bluetooth stack code-named "Fluoride," so the announcement that it would start to use even more of Android came as no surprise. However, Google's announcement didn't tell the full story, as we've since discovered that not only is Google building a new version of Chrome for Android with extensions support but also a Terminal to run Linux apps on Android. The former is intended to achieve feature parity between Chrome for Android and Chrome OS, while the latter is intended to deliver a Crostini-like experience when Chromebooks transition to Android.

However, there are still a lot of things that Google has to do to achieve feature parity between Android and Chrome OS. The desktop windowing changes that Google is introducing in the first quarterly platform release of Android 15 are just the beginning, as Google is working on a huge number of new Android features including improved keyboard and mouse support, external monitor support, multiple desktops, and more. All of these changes, we're told, are part of Google's internal Android-on-laptop project, though they'll also obviously benefit tablets like the upcoming Pixel Tablet 2.

Amazon is canceling its PhotosPlus subscription service for the Echo Show 8 Photos Edition, effectively ending the device's main selling point. The company will automatically cancel all PhotosPlus subscriptions on September 12 and cease support for the service on September 23. The Echo Show 8 Photos Edition, launched in September 2023, allowed users to display personal photos indefinitely on the home screen for a $2 monthly fee.

Without PhotosPlus, the device will revert to showing ads and promotions after three hours, like standard Echo Show 8 models. Amazon spokesperson says that the Photos Edition was discontinued in March, citing regular product evaluations based on customer feedback. Users can still display photos on the device, but not indefinitely. The move has sparked criticism from customers who paid a $10 premium for ad-free photo display.