FUTO Voice Input

Android application that lets you do speech-to-text on Android, integrating with third party keyboards or apps that use the generic speech-to-text APIs.

👉 FUTO Voice website: https://voiceinput.futo.org
👉 F-Droid repo:
https://app.futo.org/fdroid/repo/
👉 FUTO Voice play store: https://play.google.com/store/apps/details?id=org.futo.voiceinput
👉 FUTO Voice source code: https://gitlab.futo.org/alex/voiceinput
⚠️ License https://gitlab.futo.org/alex/voiceinput/-/blob/master/FTL_LICENSE.md

🔵 Linux Live Captions interview: https://www.youtube.com/watch?v=r09Hm2zd2lY
👉 Live Captions github: https://github.com/abb128/LiveCaptions
🔵 Louis' interview w/ FUTO's founder:  
Q&A w/ billionaire alt-tech investor/philanthropist Eron Wolf
https://www.youtube.com/watch?v=OJPmbcU-Vzo
⚠️ Google's breaches of privacy have gone TOO FAR!
https://www.youtube.com/watch?v=_vWAF13KigI

00:00 - Intro
00:24 - The problem with voice to text
00:37 - How Google's voice to text stored data
01:24 - EULA roofying
02:21 - Why is this called paid promotion?
03:37 - Introducing our voice to text keyboard
04:00 - The issue with Google's voice to text
04:30 - Demoing Google's voice to text
04:58 - Installing FUTO Voice Input
05:26 - Configuring FUTO Voice Input
05:52 - A note on compatible keyboards
06:19 - Configuring FUTO Voice Input
06:42 - Demoing FUTO Voice Input - SLOW MODEL
07:54 - Demoing FUTO Voice Input - FAST MODEL
08:28 - Demoing Google Voice input - same text
08:52 - FUTO keyboard wins out - better accuracy & punctuation
09:34 - NO DATA COLLECTION, NO ADS, NO TRACKING
09:58 - Open Source, but not free
10:18 - Our DRM/antipiracy measure is the honor system
10:48 - Why isn't this free?
12:00 - We will be making a keyboard w/ autocorrect soon as well

#Android #speech #recognition #stt #voice

#Android Smartphone #Hardening non-root #Guide 4.0
By @TheAnonymouseJoker

https://lemmy.ml/post/128667

Physical Attacks Against Smartphones

Android devices are constantly improving their security to protect against attackers with physical access, with new protection techniques being added year-by-year. This talk aims to demonstrate vulnerabilities in modern Android smartphones that are still viable, despite the mitigations in place.

In the first phase of this talk, we will discuss the analysis and exploitation of vendor-customized versions of Android's Recovery mode, demonstrating weaknesses that allow for privilege escalation to root, and traversal from Recovery to Android, without Bootloader access....

By: Christopher Wade

Full Abstract and Presentation Materials:https://www.blackhat.com/us-23/briefings/schedule/#physical-attacks-against-smartphones-32485

#Android #Vulnerabilities #RecoveryMode #Exploit #PrivilegdeEscalation #Root

#Android 15 Developer Preview released - What's New?

https://www.cnx-software.com/2024/02/17/android-15-developer-preview-released-whats-new/

HeliBoard

#HeliBoard is a privacy-conscious and customizable open-source #android #keyboard, based on AOSP / OpenBoard. Does not use internet permission, and thus is 100% offline.

https://github.com/Helium314/HeliBoard

https://github.com/Helium314/HeliBoard/releases

https://apt.izzysoft.de/fdroid/index/apk/helium314.keyboard

Features
Add dictionaries for suggestions and spell check
build your own, or get them here, or in the experimental section (quality may vary)
additional dictionaries for emojis or scientific symbols can be used to provide suggestions ("emoji search")
note that for Korean layouts, suggestions only work using this dictionary, the tools in the dictionary repository are not able to create working dictionaries
Customize keyboard themes (style, colors and background image)
can follow the system's day/night setting on Android 10+ (and on some versions of Android 9)
can follow dynamic colors for Android 12+
Customize keyboard layouts (only when disabling use system languages)
Multilingual typing
Glide typing (only with closed source library)
library not included in the app, as there is no compatible open source library available
can be extracted from GApps packages ("swypelibs"), or downloaded here
if you are concerned about security implications of loading user-provides libraries, please use the nouserlib build variant, which removes this option. If HeliBoard is installed as system app, and swypelibs are available for the system, they will be used.
If the app is installed as a system app and swypelibs are available, glide typing will be available independent of the version.
Clipboard history
One-handed mode
Split keyboard (if the screen is large enough)
Number pad
Backup and restore your learned word / history data

Bypassing the “run-as” debuggability check on Android via newline injection | Meta Red Team X –

An attacker with ADB access to an Android device can trick the “run-as” tool into believing any app is debuggable. By doing so, they can read and write private data and invoke system APIs as if they were most apps on the system—including many privileged apps, but not ones that run as the system user. Furthermore, they can achieve persistent code execution as Google Mobile Services (GMS) or as apps that use its SDKs by altering executable code that GMS caches in its data directory.

Google assigned the issue CVE-2024-0044 and fixed it in the March 2024 Android Security Bulletin, which becomes public today. Most device manufacturers received an advance copy of the Bulletin a month ago and have already prepared updates that include its fixes.

#Infosec #Vulnerabilities #CVE #Android #ADB

Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? | Team Cymru

Coper, a descendant of the Exobot malware family, was first observed in the wild in July 2021, targeting Colombian Android users. At that time, Coper (the Spanish translation of “Copper”) was distributed as a fake version of Bancolombia’s “Personas'' application.

The malware offers a variety of advanced features, including keylogging, interception of SMS messages and push notifications, and control over the device's screen. It employs various injects to steal sensitive information, such as passwords and login credentials, by displaying fake screens or overlays. Additionally, it utilizes VNC (Virtual Network Computing) for remote access to devices, enhancing its surveillance capabilities.

#Android #MAS #Exobot #Keylogging #Malware #RemoteAccess #SMS #Coper #Octo

Attacking Android

"In this comprehensive guide, we delve into the world of Android security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise Android devices and infiltrate their sensitive data. From exploiting common coding flaws to leveraging sophisticated social engineering tactics, we explore the full spectrum of attack surfaces present in Android environments."

#Android #Infosec #Vulnerabilities

AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers

We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With #JavaScriptInjections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.

By: Ankit Gangwal , Shubham Singh , Abhijeet Srivastava

Full Abstract and Presentation Materials

#Android #Vulnerabilities #PasswordManager #AutoSpill

Universal Android Debloater Next Generation

Cross-platform GUI written in Rust using ADB to debloat non-rooted #Android devices. Improve your privacy, the security and battery life of your device.

https://github.com/Universal-Debloater-Alliance/universal-android-debloater-next-generation

This is a detached fork of the UAD project, which aims to improve privacy and battery performance by removing unnecessary and obscure system apps. This can also contribute to improving security by reducing the attack surface.

Wiki
https://github.com/Universal-Debloater-Alliance/universal-android-debloater-next-generation/wiki

Download
https://github.com/Universal-Debloater-Alliance/universal-android-debloater-next-generation/releases

#debloater #uadng

KernelSU

A kernel-based #root solution for #Android

https://kernelsu.org/guide/installation.html

https://github.com/tiann/KernelSU

@KernelSU
@KernelSU_group

Android Malware Vultur Expands Its Wingspan | NCC Group Research Blog

The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device.

Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are decrypted on the fly, and using the guise of legitimate applications to carry out its malicious actions.

Via @androidMalware
#Android #Malware #Vultur

UpgradeAll

Check updates for Android apps, Magisk modules and more

Free and open source software which simplifies the process of finding updates for Android apps (even if you didn't install them), Magisk modules and more. The main focus is on speed and ease of use, which is widely appreciated by users.

Currently, the following sources are officially supported:
Github
Gitlab
F-Droid
Play Store
Coolapk
Source List

https://github.com/DUpdateSystem/UpgradeAll

Telegram channel: https://t.me/upallci
Discussions:
https://t.me/DUpdateSystem
https://matrix.to/#/#upgradeall:matrix.org
https://jq.qq.com/?_wv=1027&k=ZAOtKhuH

Download
https://github.com/DUpdateSystem/UpgradeAll/releases
https://f-droid.org/packages/net.xzos.upgradeall/

#apk #android #upgrade #update

Playing Possum: What's the Wpeeper Backdoor Up To? | XLab_qianxin

On April 18, 2024, XLab's threat hunting system detected an ELF file with zero detections on VirusTotal being distributed through two different domains. One of the domains was marked as malicious by three security firms, while the other was recently registered and had no detections, drawing our attention. Upon analysis, we confirmed that this ELF was malware targeting Android systems, utilizing compromised WordPress sites as relay C2 servers, and we named it Wpeeper.

Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands.

Via @androidmalware
#Android #Trojan #Possum #Wpeeper
#WordPress

Becoming any Android app via Zygote command injection | Meta Red Team X

We have discovered a vulnerability in Android that allows an attacker with the WRITE_SECURE_SETTINGS permission, which is held by the ADB shell and certain privileged apps, to execute arbitrary code as any app on a device. By doing so, they can read and write any app’s data, make use of per-app secrets and login tokens, change most system configuration, unenroll or bypass Mobile Device Management, and more. Our exploit involves no memory corruption, meaning it works unmodified on virtually any device running Android 9 or later, and persists across reboots.

#Zygote #Android #Vulnerability

Security flaw found in #android's WRITESECURESETTINGS showing attackers access to any app's data

https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html

#vulnerability

Arid Viper poisons Android apps with AridSpy | WeLiveSecurity

ESET researchers have identified five campaigns targeting Android users with trojanized apps. Most probably carried out by the Arid Viper APT group, these campaigns started in 2022 and three of them are still ongoing at the time of the publication of this blogpost. They deploy multistage Android spyware, which we named AridSpy, that downloads first- and second-stage payloads from its C&C server to assist it avoiding detection.

The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. Often these are existing applications that had been trojanized by the addition of AridSpy’s malicious code.

Via @androidmalware
#Palestine #Egypt #AridSpy #Android
#Trojan #AridViper #APT

Free Android VPN Security Flaws: 100 Apps Tested

I tested the 100 most popular free VPNs in the Google Play store and found significant security and privacy flaws affecting Android apps that have been installed over 2.5 billion times worldwide.

#Android #VPN #Infosec