The IT Nerd

There have been reports that recent exploit attacks on iOS and Android web browsers by Russian hacking group APT29, have been detected by Google:

The Google TAG report, authored by Clement Lecigne, and published on August 29, revealed that the exploits being deployed by the Russian state-sponsored APT29 hacking group were the same as those used by commercial spyware vendors in the past.

Observed by the Google and Mandiant security analysts between November 2023 and July 2024, the exploits formed part of what is known as a watering hole attack. This is pretty much what you would expect it to be: a cyberattack targeting victims by infecting a website or service that they would ordinarily use and trust. Just like predators who attack their prey by hiding near real watering holes for thirsty animals at their most vulnerable. “The use of watering hole attacks circumvents traditional web security controls like URL categorization filters,” Adam Maruyama, field chief technology officer at Garrison Technology said, “because the owner of the site and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end user’s device and the malicious webcode.” The threat becoming even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products to stop even known exploits, leaving unpatched devices vulnerable.”

The prey in these particular attacks were Mongolian government websites, although the same tactic would apply to any targeted victim. State-sponsored groups such as APT29 tend to go for big game, as it were, being commercial and government organizations that benefit their paymasters most. The common denominator was that the victims were using the Safari browser on older versions of iOS (those before 16.6.1) initially and then Android users running the m121 to m123 versions of the Chrome browser. It should be noted that fixes had already been made available for the vulnerabilities exploited in these attacks, but users who were using unpatched versions were at risk.

Alan Bavosa, VP of Security Products at Appdome had this comment:

“While the APT29 group attack is focused on mobile browsers, the real targets ultimately are the Android and iOS apps running on unprotected end-user devices. To counter such threats, comprehensive mobile app protection is vital. App developers need to protect their apps and mobile end users from these and other attacks, using basic mobile app security protections as well as protections against new, sophisticated attacks, such as accessibility malware and social engineering attacks.”

“The nature of today’s mobile attack landscape means that it is difficult, if not impossible, for mobile end users to protect themselves.”

“Consumers are holding mobile brands accountable for mobile app defense. In order for mobile developers to keep up, they must implement automated mobile app defense systems to combat today’s increasingly sophisticated cyber threats rather than using SDKs or protecting their apps from scratch.”

This is a wakeup call for consumers and brands on how vulnerable the little rectangles we carry around with us everywhere we go really are. Thus updates need to be issued and applied and app companies need to make sure that their apps are secure.

From the “this is real shady” department comes reports like this one that appear to bring to light Google’s Team Pixel program. Here’s how the program works:

A company or PR representative reaches out to you because you have an audience; they want to market and grow hype around their new phone/product (in this case, the Pixel 9 series); you need new, shiny things for your channel, so you bite their hand off, and a box of shiny new toys wings its way to your home or studio.

But then reality sets in, the reality of how the B2C reviews machine really works. In order to get early access to these phones, and future phones, you must adhere to an agreement.

And what does that agreement stipulate?

Simple: you have to be positive about the product or else you’re off the team, no more new, free Pixel phones for you. With this kind of threat, of course, most will bend the knee. But some haven’t and some have even outed #teampixel on X, shout-out to Mark’s Tech.

The Mark’s Tech is this guy who posted this to Twitter:

And this:

Now to be clear, this is being done by a PR company named 1000Heads. So there is the chance that Google was not even aware that this was going on. Though I seriously doubt that based on this:

I think this is called damage control.

Let me comment on this from the perspective of someone who does reviews. First of all I make it very clear here that I say what I want. And if a company doesn’t like that, fine. Go someplace else. I’m cool with that. Now the people from manufacturers and PR firms that I’ve dealt with over the years have never pulled a stunt like this on me. But at the same time, I go out of my way to avoid being put in a position where I might be incentivized to say nice things about a product. Because that’s simply not fair to my readership. That’s likely meant that the readership of this blog hasn’t grown as fast as it could have if I were less ethical. But I’m fine with that as I can sleep at night.

Any company that does anything as shady as this needs to be called out and held accountable. Because the products a company makes should sell the most and be the best because they are the best and people in the business of reviewing products agree of their own free will and not because they were incentivized to say nice things. Anything else is just wrong.

Well, this is groundbreaking. A judge has ruled that Goole is an illegal monopoly:

“After having carefully considered and weighed the witness testimony and evidence, the court reaches the following conclusion: Google is a monopolist, and it has acted as one to maintain its monopoly,” US District Judge Amit Mehta Mehta wrote in Monday’s opinion. “It has violated Section 2 of the Sherman Act.”

The decision by the US District Court for the District of Columbia is a stunning rebuke of Google’s oldest and most important business. The company has spent tens of billions of dollars on exclusive contracts to secure a dominant position as the world’s default search provider on smartphones and web browsers.

Those contracts have given it the scale to block out would-be rivals such as Microsoft’s Bing and DuckDuckGo, the US government alleged in a historic antitrust lawsuit filed during the Trump administration.

Now, said Mehta, that powerful position has led to anticompetitive behavior that must be stopped.

Specifically, Google’s exclusive deals with Apple and other key players in the mobile ecosystem were anticompetitive, Mehta said. Google has also charged high prices in search advertising that reflect its monopoly power in search, he added.

Those contracts have long meant that when users want to find information, Google is generally the easiest and quickest platform to go to, which in turn has fueled Google’s massive online advertising business.

While the court did not find that Google has a monopoly in search ads, the broader strokes of the opinion represent the first major decision in a string of US-government led competition lawsuits targeting Big Tech. This case in particular has been described as the biggest tech antitrust case since the US government’s antitrust showdown with Microsoft at the turn of the millennium.

Now you should keep in mind that the judge hasn’t determined what the penalties for this behaviour are going to be. And you can bet that Google will fight this as hard as they can. But I can say one thing, which is that others in the tech space are likely watching this very closely because they could be next.

If you’re a Google Chrome user, you should make sure that you’re on 125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux. If you’re not, update ASAP as this update addresses a zero day vulnerability that is being actively exploited. Here’s what Google said:

This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20

Google is aware that an exploit for CVE-2024-5274 exists in the wild.

Fun fact, this is the fourth zero day that Google has patched this month. Here are the other three:

• CVE-2024-4947 patched on 15 May. This was another type confusion flaw in V8 that was reported by Vasily Berdnikov and Boris Larin of Kaspersky Lab and which was used in targeted attacks according to Kaspersky.
• CVE-2024-4761 patched on 13 May. An out of bounds memory write in V8 reported by an Anonymous researcher.
• CVE-2024-4671 patched on 9 May. A use after free flaw in the browser’s Visuals component that was reported by an Anonymous researcher.

So if you haven’t updated Chrome, consider this a today problem.

Coming out of  Google Marketing Live, Google showcased the latest product innovations across Google Ads and Commerce to help businesses thrive. 

Key announcement highlights included: 

• New Performance Max creative controls. Soon, advertisers can share their font and color guidelines, as well as provide helpful image reference points to generate new asset variations. We’re introducing new image editing capabilities so advertisers can try adding new objects, extending backgrounds, and cropping to adapt to any format, size and orientation. 
• New immersive Shopping Ad experiences. Advertisers will soon be able to enhance their Shopping ads with immersive visuals, including Virtual Try-On and generated 3D spinning ads, and later this year, we’re introducing a feature that lets shoppers dive deeper into an ad to see product videos, summaries and similar products provided by the advertiser.
• Driving results and visual storytelling through Demand Gen: Beyond visually immersive ads, there are opportunities to connect with consumers on our most visually immersive channels — YouTube, Discover and Gmail. We launched Demand Gen last year, helping advertisers drive demand and conversions, and soon we’ll roll them out to even more advertisers on Display & Video 360 and Search Ads 360.
• New opportunities for consumers. Ads have always been an important part of consumer’s information journeys. Soon, we’ll start testing Search and Shopping ads in AI Overviews for users in the U.S. In addition, we will start testing a new ad experience in Search to help guide people through complex purchase decisions.

Read about these and more on Google’s Keyword blog:

• Ads creativity and performance at scale with Google AI by Vidhya Srinivasan, Vice President / General Manager, Ads
• New AI tools to help merchants market brands and products by Matt Madrigal, VP/GM, Merchant Shopping

Google has introduced the Find My Device network for Android. Which as the name suggests is just like the Find My network that Apple rolled out a while ago. This network will allow you to do five things:

• Keep track of your Android devices as well as find them.
• Keep track of everyday items such as keys using Bluetooth trackers. Google specifically calls out Chipolo and Pebblebee. But also says that support for eufy, Jio, Motorola and other trackers are coming. One has to wonder if the O.G. of Bluetooth trackers which is Tile will be included? In any case, you can also find “unwanted” trackers which apparently includes AirTags.
• You can leverage Nest devices to find items in your home and share items with your family.

This is live in the US and Canada and works on phones running Android 9 or higher. The one that that I think is a win here is that this will further discourage the use of AirTags and other Bluetooth trackers by criminals as any of these trackers are now more likely to be found by “Joe Average.”

Hi there, International Women’s Day is tomorrow and this year’s theme is #InspireInclusion. Around the world, underrepresented founders face a disproportionate lack of access to capital and support networks. Here in Canada, women entrepreneurs, in particular, make up only 17% of small and medium-sized business owners.  

Google launched the Google for Startups Accelerators: Women Founders cohort in 2020, to help level the playing field for women founders across North America, and inspire inclusion in the startup ecosystem. Over the past four years, they’ve worked with 47 women-led startups, who have collectively raised $93.22M USD since graduating from their cohorts. 

Today, ahead of International Women’s Day, Google is excited to welcome 15 new women-led businesses to the Google for Startups Accelerator community including MedReddie, Nimble Science, and SkyAcres, three Canadian startups that are driving transformation in agriculture and healthcare spaces. Learn more about the program here.