What’s wrong with Location History?

Location History lets you easily view the places a user visited and when they did so. You can use it for all kinds of things: remembering the name of that beach or restaurant you went to while on vacation two years ago, finding the address of a place your better half often goes to after work, getting new bar suggestions based on the ones you’ve been to, locating the florist that delivered the surprise bouquet for a party, and many more. The different ways this feature both benefits and harms Google account holders are commonly reported. Little wonder then that many — even those with a clean consciences — often want to turn it off completely.

Regrettably, Google has often been caught abusing its Location History setting. Even if explicitly disabled, Location History was still collected under “Web & App Activity”. This led to a series of lawsuits, which Google lost. In 2023, the company was ordered to pay $93 million under one suit, and a year earlier $392 million under another. These fines were but a pinprick to a corporation with hundreds of billions of dollars in revenue, but at least the court had Google revise its location tracking practices.

The combined legal and public pressure apparently led to the company announcing at the end of 2023 a drastic change: now, according to Google, Location History will be collected and stored on users’ devices only. But does that make the feature any more secure?

How does Location History (supposedly) work in 2024?

First of all, check that the feature has been updated on your device. As is wont with Google, updates for the billions of Android devices roll out in waves, and to relatively recent OS versions only. So, unless you see an alert that looks like the one below, it’s likely your device hasn’t received the update, and enabling Location History will save the data on Google’s servers.

Unless Google has explicitly warned you that your Location History will be stored on your device, it’s likely to continue being saved to Google’s servers

If your Location History is now stored locally, however, Google Maps will offer options for centralized management of your “places”. By selecting a point on the map, such as a coffee shop, and opening its description, you’ll see all the times you visited the place in the past, all searches for the place on the map, and other things like that. One tap on the location card can delete all of your activity associated with the place.

Google says it will store the history for each place for three months by default and then delete it. To change this setting or disable history, simply tap the blue dot on the map that shows your current location and turn off Location History in the window that pops up.

Options for configuring and disabling Location History

An obvious downside to offline Location History is that it won’t be accessible to the user on their other devices. As a workaround, Google suggests storing an encrypted backup on its servers.

Keep in mind that what we’re discussing here is the new implementation of Location History as described by Google. Detailed analysis of how this new pattern actually works may reveal pitfalls and caveats that no one except Google’s developers knows about at this point.

What threats does this update eliminate?

Although the new storage method improves the privacy of location data, it can’t be considered a one-size-fits-all solution to all existing issues. So how does it affect various hypothetical threat scenarios?

• Tracking you to customize ads. This is unlikely to be affected in any way: Google can continue to collect data on places you visit in an anonymized, generalized form. You’ll keep seeing ads linked to your current or past locations unless you disable either that or all targeted ads entirely. Remember that Google isn’t the only one out there tracking your location. Other apps and services have been found guilty of abusing this data as well; here are a few examples: one, two, and three.
• Evil hackers and cyberspies. These malicious groups typically use commercial spyware (stalkerware) or malicious implants, so the changes to Google’s Location History will hardly affect them.
• Jealous partner or prying relative. It’ll be harder to use a computer on which you’re signed in to your Google account to track your location. Someone could still quietly snoop on your phone while it’s unlocked, as well as secretly install commercial spyware such as stalkerware, which we mentioned above. Therefore, it’s general steps to protect smartphones from mobile spyware, not the updates to Google Maps, that are crucial to addressing this.
• Law enforcement. This isn’t likely to change much, as, in addition to asking Google, the police can request your location data from the mobile carrier or deduce it from surveillance camera footage, which is both easier and faster.

So, the update doesn’t help user privacy all that much, does it? We’re afraid not.

How do I effectively protect my location data?

You’re limited to fairly drastic options these days if you want to prevent location tracking. We list these here in ascending order of extremity.

• Use comprehensive security on all your devices, including phones and tablets. This will reduce the likelihood of being exposed to malware, including stalkerware.
• Disable Google Location History and Web & App Activity, avoid giving location permissions to any apps except navigation apps, turn off personalized ads, and use a DNS service that filters ads.
• Turn off all geo-tracking features (GPS, Google location services, and others) on your smartphone.
• When on an especially important trip, activate flight mode for an hour or two, or just turn off your smartphone.
• Ditch smartphones in favor of the most basic dumbphones.
• Ultimately, stop carrying around any kind of phone at all.
• Live 100% off-grid; e.g., in a cave.

This post is about our most interesting findings: fake “gas” apps in Android store recommendations; “oil investment” apps in the App Store and on Google Play; as well as a series of fake videos in which “Erdogan”, “Musk”, and other famous people promote non-existent investment platforms.

Gas scammers in Android app stores

First of all, let’s outline the scale of the problem. We discovered several hundred scam apps in different languages — more than 300 in total — offering investments in natural resources, “quantum investment algorithms”, and other fancy things that purport to turn a small sum into untold riches.

Such apps can be found crawling all over stores that are pre-installed on phones of various brands: for example, GetApps on Xiaomi smartphones, or Palm Store on Tecno devices.

Hundreds of scam investment apps in GetApps and Palm Store for Android

One of the stores even included a number of scam apps in the list of recommendations shown to the user when they open it, and those apps were even pre-checked — so the store itself encourages the user to install them!

Scam investment apps in Palm Store’s recommended list

Some Android advertising apps were found to contain ads for either “gas” and “quantum” apps, or scam sites offering the same: natural resources, investment algorithms, and other sure-fire ways of earning hundreds of dollars a day without lifting a finger.

Ad for “gas” and “quantum” scam apps for Android

Fake videos: “Musk” and “Erdogan” advertise investment platforms

Besides such apps and sites themselves, we uncovered some massive information campaigns promoting various “investment platforms”.

In particular, these spread fake news about how ordinary users got rich through investments, and each campaign was tailored to the target region in the style of leading local media and featuring the names of famous politicians and businesspeople.

Fake news content about earnings on investment platforms

Also discovered were many (around 800) fake videos, localized for almost all regions of the world and “starring” well-known politicians, actors, businesspeople, and others.

Naturally, the media persons themselves don’t even suspect that their images are being exploited for such purposes. The creators of the videos use real footage of an official nature — interviews with national TV stations, public speeches and the like that are familiar to the regional target audience. In this way, the scammers maximize the number of victims likely to be persuaded by such fakes.

The videos, it must be said, are made quite well. Overlaid on top of the edited video footage are audio tracks that sound very convincing — strongly suggesting the use of audio deepfakes. The audio is also carefully subtitled, so the videos can be watched without sound.

In addition, the scammers use company names similar to ones everyone’s heard of. For instance, a Russian-language video promotes the “Tesla X investment platform”, allegedly created by Elon Musk as a by-product of developing a vehicle autopilot system. The operating principle of this investment algorithm is “like a multicooker: you put in the ingredients and get a ready dinner” (indirect quote).

Scam video with Musk, DiCaprio, and the “Tesla X investment platform”

In another video in Turkish, the main character is… the president of Türkiye, who appears to unveil an “investment platform” promising big bucks. All it takes is to “invest” just 5000 lira (around $170, or €160) in supposed shares of a Turkish state-owned oil-and-gas pipeline company.

“Recep Tayyip Erdoğan” offers a get-rich opportunity by “investing” just 5000 lira

Next up is a video in Spanish. In it, Mexican billionaire Carlos Slim “advises” his fellow citizens to invest in oil through an “investment platform” called Oil Profit.

Carlos Slim appears to promote an “investment” app called Oil Profit

Such videos, created for a host of countries and regions, are myriad, and most give the impression of being endorsed by national or regional heads, who “encourage” investing money in large public and private projects — which, of course, in reality goes straight into the scammers’ pockets.

Citizens of Moldova are promised a juicy rate of return from Moldindconbank, because “payments are guaranteed by the head of the Central Bank!” Citizens of Kazakhstan are advised to “invest” in KazMunayGas, and citizens of Romania — in Romgaz; in both videos, the lead character is the country’s president. Meanwhile, Korean citizens are invited to invest in a fake “national-level investment platform” seemingly from Samsung, and Bulgarian citizens — in a no-less fake scheme from Bulgarian Energy Holding. And the list goes on…

Not by gas alone: “oil” scammers in the App Store and on Google Play

Researching the case of Carlos Slim seemingly promoting investments in oil, we discovered several more apps in the App Store and on Google Play with the name “Oil Profit” in the title (the creators’ own spelling and punctuation are retained):

• Oil Profit – Trading Insignts [sic]
• Oil – Profit, Trade, News
• Oil Profit – News & Help
• Oil Profit : Ai Technology

Scam Oil Profit apps on Google Play and in the App Store

These “oil” apps work in roughly the same way as their “gas” cousins, only in English — although analysis of the code points to the campaign being aimed at Arab countries, Mexico, France, Italy, and Poland. First, the potential victim is shown videos promising out-of-this-world enrichment. Next, they’re asked to complete a survey in the form of a conversation with a chatbot (“the Oil Profit system’s AI”), after which they’re told to expect a whopping rate of return of $777 per day!

The internal mechanics of the scam Oil Profit app: an enticing video, a survey with the promise of vast riches, and an offer to take a call from a “representative”

This, naturally, is followed by an offer to take another call, this time from a “specialist” who’ll be in touch within one business day. During this call, of course, the victim is persuaded to part with their money under one pretext or another.

How to stay protected

When someone offers you a pile of cash for nothing, it’s a sure sign you’ll end up giving them money rather than the other way round. To guard against scam apps and mobile malware, secure all your devices with comprehensive protection, such as our Kaspersky Premium.

The Bluetooth vulnerability allows you to connect a fake keyboard

The essence of the problem is that a vulnerable device can be forced to connect to a fake Bluetooth keyboard without requiring user confirmation — bypassing the operating system’s checks responsible for the Bluetooth protocol. The unauthenticated connection feature is specified in the Bluetooth protocol, and issues with certain implementations of the Bluetooth stack in popular operating systems provide attackers with the opportunity to exploit this mechanism.

The attackers can then use this connection to input commands, allowing them to execute any action as if they were the user — without requiring additional authentication such as a password or biometrics (like a fingerprint or face scan). According to the security researcher Marc Newlin who discovered this vulnerability, no special equipment is needed for a successful attack — just a Linux laptop and a standard Bluetooth adapter.

As you might guess, the attack is inherently limited by the Bluetooth interface: an attacker needs to be in close proximity to the victim. This naturally rules out mass exploitation of the vulnerability in question. However, malicious actors exploiting this vulnerability could still be a worry for specific individuals of special interest to those actors.

Which devices and operating systems are vulnerable?

This vulnerability affects a range of operating systems and several classes of devices based on them — albeit with some variations. Depending on the OS used, devices may be more or less vulnerable.

Android

Android devices were the most thoroughly examined for the presence of the aforementioned vulnerability. Marc Newlin tested seven smartphones with different OS versions — Android 4.2.2, Android 6.0.1, Android 10, Android 11, Android 13, and Android 14 — and found that all of them were vulnerable to the Bluetooth hack. Furthermore, concerning Android, all that’s required for this hack is for Bluetooth to be enabled on the device.

The researcher informed Google of the discovered vulnerability in early August. The company has already released patches for Android versions 11 through 14, and sent them to manufacturers of smartphones and tablets based on this OS. These manufacturers now have the task of creating and distributing the necessary security updates to their customers’ devices.

Of course, these patches must be installed as soon as they become available for devices running on Android 11/12/13/14. Until then, to protect against hacking, it’s advisable to keep Bluetooth turned off. For devices running older Android versions, there’ll be no updates — they’ll remain vulnerable to this attack indefinitely. Thus, the advice to turn Bluetooth off will remain relevant for them until the end of their service life.

MacOS, iPadOS, and iOS

As for Apple’s operating systems, the researcher didn’t have such a wide range of test devices. Nonetheless, he was able to confirm that the vulnerability is present in iOS 16.6, as well as in two versions of macOS — Monterey 12.6.7 (x86) and Ventura 13.3.3 (ARM). It’s safe to assume that in fact a wider range of macOS and iOS versions — as well as related systems like iPadOS, tvOS, and watchOS — are vulnerable to the Bluetooth attack.

Another piece of bad news is that the enhanced security mode introduced by Apple this year — the so-called “Lockdown Mode” — doesn’t protect against attacks exploiting this Bluetooth vulnerability. This applies to both iOS and macOS.

Just in case, we remind you how to properly turn off Bluetooth in iOS and iPadOS: this should be done not through the Control Center but through the Settings

Fortunately, a successful attack on Apple’s operating systems requires an additional condition besides having Bluetooth enabled: the device must be paired with an Apple Magic Keyboard.

This means that Bluetooth attacks primarily pose a threat to Macs and iPads used with a wireless keyboard. The likelihood of an iPhone being hacked through this vulnerability appears to be negligible.

The researcher reported the discovered bug to Apple around the same time as Google, but so far there’s been no information from the company regarding security updates, or a detailed list of vulnerable OS versions.

Linux

This attack also works for BlueZ — the Bluetooth stack included in the official Linux kernel. Mark Newlin confirmed the presence of the Bluetooth vulnerability in Ubuntu Linux versions 18.04, 20.04, 22.04, and 23.10. The bug that made the attack possible was discovered and fixed back in 2020 (CVE-2020-0556). However, this fix was, by default, disabled in most popular Linux distributions, and is only enabled in ChromeOS (according to Google).

The Linux vulnerability discovered by the researcher was assigned the number CVE-2023-45866, and a CVSS v3 score of 7.1 out of 10, according to Red Hat. For successful exploitation of this vulnerability, only one condition needs to be met: the Linux device must be discoverable and connectable through Bluetooth.

The good news is that a patch for this vulnerability in Linux is already available, and we recommend installing it as soon as possible.

What are Restricted Settings?

How do Restricted Settings operate? Imagine you’re installing an application from a third-party source — that is, downloading an APK file from somewhere and initiating its installation. Let’s suppose this application requires access to certain functions that Google considers particularly dangerous (and for good reason — but more on that later). In this case, the application will ask you to enable the necessary functions for it in your operating system settings.

However, in both Android 13 and 14, this isn’t possible for applications installed by users from APK files. If you go to your smartphone’s settings and try to grant dangerous permissions to such an application, a window titled Restricted Settings will appear. It will say “For your security, this setting is currently unavailable”.

When an application installed from third-party sources requests dangerous permissions, a window pops up with the title Restricted Settings

So, which permissions does Google consider so hazardous that access to them is blocked for any applications not downloaded from the store? Unfortunately, Google isn’t rushing to share this information. We therefore have to figure it out from independent publications for Android developers. At present, two such restrictions are known:

• Permission to access Accessibility
• Permission to access notifications

It’s possible that this list will change in future versions of Android. But for now it seems that these are all the permissions that Google has decided to restrict for applications downloaded from unknown sources. Now let’s discuss why this is even necessary.

Why Google considers Accessibility dangerous

We previously talked about Accessibility in a recent post titled the Top-3 most dangerous Android features. In short, Accessibility constitutes a set of Android features designed to assist people with severe visual impairments.

The initial idea was that Accessibility would enable applications to act as mediators between the visual interface of the operating system and individuals unable to use this interface but capable of issuing commands and receiving information through alternative means — typically by voice. Thus, Accessibility serves as a guide dog in the virtual space.

An application using Accessibility can see everything happening on the Android device’s screen, and perform any action on the user’s behalf — pressing buttons, inputting data, changing settings, and more.

This is precisely why the creators of malicious Android applications are so fond of Accessibility. This set of functions enables them to do a great deal of harm: spy on correspondence, snoop on passwords, steal financial information, intercept one-time transaction confirmation codes, and so on. Moreover, Accessibility also allows malware to perform user actions within other applications. For example, it can make a transfer in a banking app and confirm the transaction using the one-time code from a text message.

This is why Google deems the permission to access Accessibility particularly perilous — and rightly so. For apps available on Google Play, their use is subject to careful scrutiny by moderators. As for programs downloaded from unknown sources, Android developers have attempted to completely disable access to this set of functions.

Why Google restricts access to notifications

We’ve covered Accessibility, so now let’s talk about what’s wrong with applications accessing notifications (in Android, this function is called Notification Listener). The danger lies in the fact that notifications may contain a lot of personal information about the user.

For example, with access to all notifications, a malicious app can read almost all of the user’s incoming correspondence. In particular, it can intercept messages containing one-time codes for confirming bank transactions, logging in to various services (such as messengers), changing passwords, and so on.

Here, two serious threats arise. Firstly, an app with access to Notification Listener has a simple and convenient way to monitor the user — very useful for spyware.

Secondly, a malicious app can use the information obtained from notifications to hijack user accounts. And all this without any extra tricks, complex technical gimmicks, or expensive vulnerabilities — just exploiting Android’s built-in capabilities.

It’s not surprising that Google considers access to notifications no less dangerous than access to Accessibility, and attempts to restrict it for programs downloaded from outside the app stores.

How Android malware bypasses Restricted Settings

In both Android 13 and 14, the mechanism to protect against the use of dangerous functions by malicious apps downloaded from unknown sources operates as follows. App stores typically use the so-called session-based installation method. Apps installed using this method are considered safe by the system, no restrictions are placed on them, and users can grant these apps access to Accessibility and Notification Listener.

However, if an app is installed without using the session-based method — which is very likely to happen when a user manually downloads an APK — it’s deemed unsafe, and the Restricted Settings function is enabled for it.

Hence the bypass mechanism: even if a malicious app downloaded from an untrusted source cannot access Accessibility or notifications, it can use the session-based method to install another malicious app! It will be considered safe, and access restrictions won’t be activated.

We’re not talking theory here – this is a real problem: malware developers have already learned to bypass the Restricted Settings mechanism in the latest versions of their creations. Therefore, the restrictions in Android 13 and 14 will only combat malware that’s old — not protect against new malware.

How to disable Restricted Settings when installing an app from third-party sources

Even though it’s not safe, sometimes a user might need to grant access to Accessibility or Notification Listener to an app downloaded from outside the store. We recommend extreme caution in this case, and strongly advise scanning such an application with a reliable antivirus before installing it.

To disable the restrictions:

• Open your smartphone settings
• Go to the Apps section
• Select the app you want to remove access restrictions for
• In the upper right corner, tap on the three dots icon
• Select Allow restricted settings

That’s it! Now, the menu option that lets you grant the app the necessary permissions will become active.

How to protect your Android smartphone

Since you can’t rely on Restricted Settings, you’ll have to use other methods to protect yourself from malware that abuses access to Accessibility or notifications:

• Be wary of any apps requesting access to these features — we’ve discussed above why this is very dangerous
• Try to install applications from official stores. Sometimes malware can still be found in them, but the risk is much lower than the chance of picking up trojans from obscure sites on the internet
• If you really have to install an app from an unreliable source, remember to disable this option immediately after installation
• Scan all applications you install with a reliable mobile antivirus.
• If you’re using the free version of our protection tool, remember to do this manually before launching each new application. In the paid version of Kaspersky: Antivirus & VPN, this scan runs automatically.

To make things worse, abandoned apps can continue collecting data about the phone and its owner and feed it to advertising firms, or simply gobble up mobile data. Hopefully, we’ve already convinced you to “debloat” your smartphone at least a couple of times a year and uninstall apps you haven’t used for ages — not forgetting to cancel any paid subscriptions to them!

But, unfortunately, some apps are vendor-protected against uninstallation, and so aren’t all that easy to jettison. Thankfully, there are some ways to get round this problem…

Uninstall the app

Sometimes you can’t find an unwanted app under the Manage apps & device tab of the Google Play app. First, try to remove it through the phone settings: look there for the Apps section. This lists all installed programs and has a search feature to save you from having to scroll through them all. Having found the unwanted app and tapping it, you’re taken to the App Info screen. Here you can view the app’s mobile data, battery, and storage consumption, and, most importantly, find and tap the Uninstall button. If the button is there and active, the job’s done.

List of all installed apps and the App Info screen with the Uninstall button

Disable the app

If the app was installed on the phone by the vendor, it’s likely to be non-removable and have no Uninstall button on the App Info screen. That said, it’s not necessarily linked to the OS or core components of the smartphone — it could be, say, a Facebook client or a proprietary browser. Such apps are often called bloatware since they bloat the phone’s firmware and the list of standard apps. The easiest way to disable such apps is on the above-mentioned App Info screen; instead of Uninstall, the relevant button will be marked Disable. A disabled app is not much different from an uninstalled one — it vanishes from the set of icons on the startup screen and won’t run manually or when the phone boots up. Should you need it later, you can easily turn it back on with a single tap on that same App Info screen.

Disabling reduces the risk of data leakage, but does nothing to save storage space — unfortunately, the disabled app continues to take up memory on your phone. If you absolutely have to uninstall it — but there’s no Uninstall button — read on!…

For non-removable apps, instead of an Uninstall button, the App Info screen shows a Disable button

Stop the app

But what if the Disable button on the App Info screen is grayed out and untappable? For especially important programs, vendors take care to block the disabling option — often for a good reason (they’re vital to the system) — so you need to think very carefully before trying to disable or uninstall such apps manually. Open your favorite search engine and punch in the query “exact smartphone model number + exact app name”. Most likely you’ll see Android user forum discussions at the top of the search results. These often give information about whether the given app is safe to disable or whether there could be any side effects.

To perform a harmless experiment with an app that can’t be disabled, you can use the Force Stop button. This is the second button on that App Info screen and it’s almost always active — even for apps that can’t be disabled. Force Stop simply stops the app temporarily, without attempting to remove or permanently disable it. However, it no longer consumes power or mobile data — and can no longer spy on you. And if your phone continues to work as normal, then perhaps the app isn’t that important after all.

But stopped apps can start up again when certain events occur or after a phone restart, and stopping them manually each time — moreover regularly — can be troublesome and inconvenient. Fortunately, you can automate this task with the Greenify app. It doesn’t require superuser rights to work, but merely automates navigating to the now-familiar App Info screen and tapping the Force Stop button. You simply supply Greenify with a list of unwanted apps and set a Force Stop schedule to, say, twice a day. Other tools offer similar functionality, but Greenify’s advantage is its lack of “extra” features.

If the Disable button is inactive, try using Force Stop

Freeze or uninstall the app despite its objections

If you tested stopping a non-removable app and suffered no negative effects, you might consider freezing it or removing it altogether. Freezing is the same as disabling but is done using different tools. Before delving into the details, note that freezing requires technical skill and the activation of Developer mode on your phone. This mode itself creates certain information security risks by allowing connections to the phone via USB or LAN in special technical modes, plus the ability to view and modify its contents. Although Google has fenced off this functionality with many safeguards (permission requests, additional passwords, and so on), the room for error (thus creating risks) is high.

One more thing: before you start tinkering, be sure to create the fullest possible backup of your smartphone data.

If all of the above hasn’t scared you off, see the guide in the box.

Freezing and uninstalling non-removable Android apps in Developer mode

• Download and install Android SDK Platform-Tools on your computer. Of the tools inside, you’ll only need the Android Debug Bridge USB driver and the ADB command line.
• Enable Developer mode on your phone. The details vary slightly from vendor to vendor, but the general recipe is roughly the same: repeatedly tap the Build Number option in the About Phone.
• Enable USB Debugging under Developer Settings on your smartphone. There are multiple options there — but don’t touch any apart from these two!
• Connect your smartphone to your computer through USB.
• Allow Debug mode on your phone screen.
• Test Debug mode by getting a list of all packages (what developers call apps) installed on your phone. To do so, type the following in the ADB command line
  adb shell pm list packages
  The response will be a long list of packages installed on the phone, in which you need to find the name of the unwanted app. This might look something like facebook.katana or com.samsung.android.bixby.agent. You can often (but not always) tell which app is which by their names.
• Freeze (disable) the unwanted app using the ADB command line. To do so, enter the command
  adb shell pm disable-user --user 0 PACKAGENAME ,
  where PACKAGENAME is the name of the unwanted app package. Different vendors may have different usernames (0 in our example), so check the correct PM command for your smartphone. As before, an online search helps out: “phone model + Debloat” or “phone model + ADB PM”.
• You can use developer commands to not only disable an app but also completely uninstall it. To do so, replace the previous command with adb shell pm uninstall --user 0 PACKAGENAME
• Restart your phone.

The free Universal Android Debloater tool somewhat simplifies all this sorcery. It issues ADB commands automatically, based on the “cleaning packages” selected from the menu, which are prepared with both the vendor and model in mind. But since this is an open-source app written by enthusiasts, we can’t vouch for its efficacy.

However, Nothing Chats was almost immediately found to have a whole host of security and privacy issues. These problems were so serious that less than 24 hours after its release in the Google Play Store, the application had to be removed. Let’s delve into this in more detail.

Nothing Chats, Sunbird, and iMessage for Android

The Nothing Chats messenger was announced on November 14, 2023, in a video by the well-known YouTube blogger Marques Brownlee (aka MKBHD). He talked about how the new messenger from Nothing had plans to allow owners of a Nothing Phone (which is Android-based) to communicate with iOS users through iMessage.

By the way, I recommend watching the video by MKBHD, at least to see how the messenger worked.

The video also briefly outlines how the messenger operates from a technical point of view. To begin, users have to provide Nothing Chats with the login and password to their Apple ID account (and if they don’t have one yet, they need to create one). After this, to indirectly quote the video, “on some Mac mini somewhere on a server farm”, this Apple account is logged in to, after which this remote computer serves as a relay transmitting messages from the user’s smartphone to the iMessage system, and vice versa.

To give credit where credit is due, at the end of the sixth minute, the author of the video makes a point of emphasizing that this approach carries some serious risks. Indeed, logging in with your Apple ID on some unknown device that doesn’t belong to you, located who knows where, is a very, very bad idea for a number of reasons.

The coveted blue message clouds of iMessage — the main promise of Nothing Chats

The Nothing company made no secret of the fact that “iMessage for Android” was not their own development. The company partnered with another company, Sunbird, so the Nothing Chats messenger was a clone of the Sunbird: iMessage for Android application, with some cosmetic interface changes. By the way, the Sunbird app was announced to the press back in December 2022, but its full launch for a wide audience was constantly postponed.

Nothing Chats and security issues

After the announcement, suspicions immediately arose that Nothing and Sunbird would face serious privacy and security issues. As mentioned earlier, the idea of logging in with your Apple ID on someone else’s device is highly risky because this account gives full control over a significant amount of user information and over the devices themselves through the Apple feature Find My…

To reassure users, both Sunbird and Nothing asserted on their websites that logins and passwords aren’t stored anywhere, all messages are protected by end-to-end encryption, and everything is absolutely secure.

Sunbird’s website confirming the security and privacy of iMessage for Android, as well as the use of end-to-end encryption (spoiler: this isn’t true)

However, the reality was way off even the most skeptical predictions. Once the application became available, it quickly became clear that it totally failed to deliver on its promises regarding end-to-end encryption. Worse still, all messages and files sent or received by the user were delivered by Nothing Chats in unencrypted form to two services simultaneously — the Google Firebase database and the Sentry error monitoring service, where Sunbird employees could access these messages.

The FAQ section on the official Nothing Chats page also explicitly mentions end-to-end encryption

And if that still wasn’t enough, not only Sunbird employees but anyone interested could read the messages. The issue was that the token required for authentication in Firebase was transmitted by the application over an unprotected connection (HTTP) and could, therefore, be intercepted. Subsequently, this token provided access to all messages and files of all users of the messenger — as mentioned earlier, all this data was sent to Firebase in plain text.

Once again: despite assurances of using end-to-end encryption, any message from any user on Nothing Chats and all files sent by them — photos, videos, and so on — could be intercepted by anyone.

Also, the FAQ page of Nothing Chats claims that messages are never stored anywhere — doesn’t it make you want to cry?

One of the researchers involved in analyzing the vulnerabilities of Nothing Chats/Sunbird created a simple website as proof of an attack’s feasibility, allowing anyone to see that their messages in iMessage for Android could indeed be easily intercepted.

Shortly after the vulnerabilities were made public, Nothing decided to remove their app from the Google Play Store “to fix a few bugs”. However, even if Nothing Chats or Sunbird: iMessage for Android returns to the store, it’s best to avoid them — as well as any similar apps. This story demonstrates vividly that when creating an intermediary service that allows access to iMessage, it’s very easy to make catastrophic mistakes that put users’ data at extreme risk.

What Nothing Chats users should do now

If you’ve used the Nothing Chats app, you should do the following:

• Log into your Apple ID account from a trusted device, find the page with active sessions (devices you’re logged in to), and delete the session associated with Nothing Chats/Sunbird.
• Change your Apple ID password. It’s an extremely important account, so it’s advisable to use a very long and random sequence of characters — Kaspersky Password Manager can help you generate a reliable password and store it securely.
• Uninstall the Nothing Chats app.
• You can then use a tool created by one of the researchers to remove your information from Sunbird’s Firebase database.
• If you’ve sent any sensitive information through Nothing Chats, then you should treat it as compromised and take appropriate measures: change passwords, reissue cards, and so on. Kaspersky Premium will help you track possible leaks of your personal data linked to email addresses or phone numbers.

Let’s figure out how to install Android updates properly to get all the benefits and zero misery.

Different types of updates

“Installing updates” can refer to five quite different scenarios depending on what exactly is being updated.

1. Updating apps. Individual apps on devices are updated automatically or manually through an app store (Google Play, Huawei AppGallery and the like). Updating one app in this case rarely affects the rest and generally has little effect on the gadget.
2. Updating Android components. Google developers have long been committed to modularization, so many parts of the operating system (such as the call screen or photo viewer) are essentially separate apps. Some of these likewise download updates through an app store; others (like Google Play Services) are forcibly updated at a lower level.
3. Updating extensions from the smartphone manufacturer. All that distinguishes a Samsung, Oppo or Xiaomi smartphone from a “pure” Android device are proprietary extensions, which often radically alter the look of the operating system and sport fancy names like OneUI or ColorOS. The internal structure and update method differ from vendor to vendor — many try to time extension updates to coincide with the release of general Android updates, but this isn’t a hard-and-fast rule.
4. Updating Android itself. Google rolls out major Android updates once a year — upping the major version number by one — but bug fixes and security updates appear monthly. However, most smartphones don’t get the latest version of Android from Google directly: manufacturers of specific models must first add the correct low-level components and vendor-specific extensions, and only then offer the latest version of Android to users. Therefore, for any Android update, the time from rollout to availability on smartphones other than Google Pixel or devices running AOSP (Android Open Source Project) can be anything from a month to… eternity — depending on the manufacturer’s promptness.
5. Updating low-level components. This means the bootloader, 4G/Wi-Fi chip firmware, drivers and the like. As a rule, these components are updated along with the operating system, but they can get their own updates as and when required. In any case, updates of this type are released only by the company that made your phone.

Updates of the first two types (bootloader, 4G/Wi-Fi chip firmware) arrive either automatically or by pressing literally one button in your chosen app store, and usually take just seconds; others need much longer, require a smartphone restart, and are slightly more prone to side effects. Which means you need to cushion the potential blow.

What could go wrong

Nuisances. On many manufacturers’ devices, alerts about new updates appear in the notification drawer and remain stuck there. Sometimes they go full-screen and demand immediate installation. One mis-tap and your phone is already pulling gigabytes of data – heaven forbid if you’re in roaming mode.

Eating up phone space. Security updates and bug fixes are usually small in scope, but new versions of vendor extensions or Android itself can be significantly larger than their forebears. And this creates a separate problem for budget smartphones with low storage capacity.

Post-update bugs. Even Google makes mistakes. For example, users updating to Android 12 encountered all sorts of issues — from unstable network connection and flickering displays to bricked devices. Similar problems sometimes occur with vendor extensions.

Loss of data or functionality. A rare but most unpleasant occurrence is when, after an update, various apps stop working (if, say, they’re too outdated to receive updates) or user data vanishes.

Why you still need to update

Vulnerabilities. Stories about how smartphones can get infected with malware without any user action or with no signs that anything is wrong are not fiction, but rather the result of the exploitation of dangerous bugs in Android itself and installed apps. Vulnerabilities even crop up in cellular or Wi-Fi modules. And if you think this “spy fiction” doesn’t apply to you, beware — cybercriminals will quite happily use vulnerabilities of this kind to steal your money, passwords and anything else that isn’t bolted down. Each monthly Android update fixes a handful of serious vulnerabilities and a dozen or two low-risk ones.

Bugs. From increased power consumption and memory leaks to camera focus issues, the corresponding bug fixes in low-end components, Android itself, and/or vendor extensions make the smartphone experience more enjoyable.

Compatibility. Even if you don’t like new stuff, sooner or later you have to update the browser, programs, and operating system anyway just to be able to continue using your online apps and even visit certain websites. The support period for older versions of software is steadily dwindling, and, for example, in a severely outdated Chrome, many sites refuse to open properly.

Top tips for hassle-free updating

Use only official sources. Download updates only through your chosen app store or your smartphone’s system settings. Don’t install updates from websites unless the manufacturer offers no other way; in which case, as above, download updates only from said manufacturer’s official site — never from aggregators, news media or unknown sites.

Create backups. Android doesn’t fully back up everything automatically, but you can set up uploading of photos and documents to Google Drive, while your contacts, calendar and various other data are backed up to your Google account, and many apps (for example, WhatsApp) have built-in backup. Set up backup in all apps where possible, so that important information gets saved to the cloud on a nightly basis. If you don’t trust third-party clouds, there are utilities for syncing your phone with a storage server on your home network.

Optimize update downloading. Explore your smartphone settings. If updates are customizable, opt to download them at night, assuming Wi-Fi and power are available. That way, downloading updates won’t interrupt your daytime work, chew through your mobile data, or drain your battery. If there are no such settings, and update notifications often come at a bad time, you can risk turning off notifications or automatic checking for updates. In this case, you must set a regular reminder (say, once a month on a weekend) to check for updates manually through the device settings. It’s best to choose an installation time when you can afford to put your phone down for a while.

Be selective. If it’s not a critical vulnerability fix, you can put off installing it — but not for long, of course; however, waiting a few days to a week should be ok, all the while checking on forums to see if owners of the same smartphone are having issues with the update. If so, that will give time for hundreds of them to voice a complaint, and, if you’re lucky, time also for a patched version to come out.

Get rid of unnecessary stuff. Binning downloaded documents no longer needed, clearing caches, deleting unused apps and moving photos and videos to the cloud helps free up a lot of smartphone memory and reduce the likelihood of update problems. Incidentally, our mobile application for Android comes with a handy junk cleaner tool.

Update apps and firmware separately. To make it easier to track the source of potential issues, don’t update apps and firmware at the same time: after updating the operating system and vendor extensions, wait a few days before installing app updates — again, only if there are no critical vulnerability fixes.

Install Kaspersky: Antivirus & VPN on your Android device. Our application warns and protects you against known vulnerabilities, scans downloaded apps for viruses, fixes dangerous device settings, manages app permissions, blocks dangerous links, and keeps your data safe if ever your phone is lost or stolen.

WhatsApp and Telegram mods: the whats and whys

Some people think that the official WhatsApp and Telegram apps lack functionality — be that additional options to customize the interface or something more specific; for example, the ability to hide chats, automatically translate messages, or view messages deleted by chat partners. And the list of “missing” features is a very long one.

Third-party developers create modifications, or mods of standard WhatsApp and Telegram apps to satisfy even the most peculiar user needs, and there are a great many such mods.

The problem with installing any of them is that the user must entrust their correspondence not only to the original messenger developers but also to the mod developers, who can easily hide malicious modules in them; mod distributors can also add something of their own.

In the case of WhatsApp, the situation with mods is further complicated by its owners. They don’t approve of modifications and so hinder their distribution. From time to time, WhatsApp’s owners try to prohibit folks from using mods — albeit unsuccessfully thus far. Meanwhile they have had some success in barring alternative clients for WhatsApp from the official stores like Google Play and App Store.

As a consequence, users of WhatsApp mods are accustomed to downloading them from just about anywhere. APK files are boldly downloaded, settings are switched to allow installation from unknown sources, and mods are then run on phones. And cybercriminals exploit this carelessness by embedding malware in the mods.

Our experts recently found several such infected mods, which we’ll take a look at in this post.

Infected WhatsApp mods on Telegram

The WhatsApp mods that caught our experts’ attention hadn’t previously shown any malicious activity. Now, however, they contain a spy module, which our security solutions detect as Trojan-Spy.AndroidOS.CanesSpy.

After installation on the victim’s smartphone, an infected WhatsApp mod waits for the phone to be turned on or put on charge before launching the spy module. It contacts one of the C2 servers from the respective list and uploads various information about the device to it, such as phone number, IMEI, cellular network code, and so on. What’s more, the spy Trojan sends information about the victim’s contacts and accounts to the server every five minutes, all the while waiting for commands.

Leaving service commands aside, the spy module’s capabilities are essentially reduced to two functions:

• Search the device and send its operators files contained in the smartphone’s memory (to be precise, in its non-system part, or “external storage” in Android terminology)
• Record sound from the built-in microphone and, as before, send the recordings to C2

As for how the spyware was distributed, infected WhatsApp modifications were found in several Arab and Azerbaijani Telegram channels under the names of popular mods: GBWhatsApp, WhatsApp Plus, and AZE PLUS — a WhatsApp Plus version with the interface translated into Azerbaijani.

WhatsApp mods infected with spyware were distributed mostly in Azerbaijani and Arabic Telegram channels

In addition, our experts discovered APK files infected with the spy module on WhatsApp mod download websites.

In October, our security solutions detected and prevented more than 340,000 attacks by this spyware in more than 100 countries. Note that we’re talking about attacks intercepted by our solutions. The total number (accounting for phones on which our solutions aren’t installed) is likely much higher.

Although the geographic spread of the threat is extensive, the largest number of infection attempts — by a wide margin — was registered in Azerbaijan, followed by several Arab countries: Yemen, Saudi Arabia, and Egypt; as well as Turkey.

Top-20 countries where WhatsApp spy mods were distributed

How to protect yourself against messenger spyware

This isn’t the first case in 2023 of malicious modules being found in modified messenger apps. A few months ago we wrote about a string of infected mods for Telegram, WhatsApp, and even the secure messenger Signal. So there’s every reason to remain vigilant:

• Use only the official WhatsApp and Telegram apps. As we’ve seen, messenger mods are prone to malware.
• Install apps only from official stores: Apple App Store, Google Play, Huawei AppGallery, and the like. These aren’t immune to malware, but still way safer than third-party websites, which often have no security measures in place at all.
• Before installing any app, first study its page in the store and make sure it’s not fake — bad actors often create clones of popular apps.
• Read user reviews of the app, paying special attention to negative ones. There you’ll probably find out if it demonstrates suspicious activity.
• Be sure to install reliable protection on all your devices. This will detect malicious code inside a seemingly harmless app, and warn you in time.
• Remember that in the free version of our Kaspersky: Antivirus & VPN app, you have to run the scan manually.
• If you use the premium version of our protection for Android — which comes included in the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscriptions — you can sit back and relax: scanning for threats takes place automatically.

But this convenience has a downside: our digital finances are vulnerable to digital crimes. Then again, that’s only true if you neglect protecting your online finances from cybercriminals. This post takes a look at how Kaspersky technologies and products secure your digital money, and thus your financial well-being.

1. Password Manager

The backbone of all account security — and financial services are no exception — is, of course, your password. The weaker it is, the greater the chances of a successful hack on your account in some online store or payment system where you enter card details.

It’s just as dangerous to use the same password for different online services. If you do, then if there’s a password leak on one of them (all too common, sadly), your accounts with other services will be compromised as well. Hackers are well aware that many people use the same character combinations on multiple sites, so they often use leaked passwords to try to log in to other resources, a technique known as credential stuffing. And naturally, their focus tends to be on money-related services.

Using Kaspersky Password Manager radically improves password security and to keep your financial accounts safe. Our app generates unique, maximum-security passwords for every service you use, stores them safely so there’s no need to remember them, and even warns you about leaks. Incidentally, the latest update of Kaspersky Password Manager has added the ability to generate one-time codes for two-factor authentication. And you get it for free with Kaspersky Plus and Kaspersky Premium subscriptions.

2. Safe Money

Safe Money was designed specifically for enabling secure financial transactions and online purchases. To protect important payment data entered on the websites of banks, payment systems, and online stores — including bank card numbers and passwords — our solution prompts you to open such sites in our Protected Browser.

In this special mode, your confidential data is protected to the max. And if a site seems fishy in any way at all, Protected Browser warns you with a notification and a change of the frame color from safe green to yellow.

With Safe Money, you can do online shopping and banking safely in the knowledge that both your money and personal data are fully protected. This feature is included in all our paid subscriptions:Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium.

3. File Anti-Virus

Of course, one of the central components of our multi-layered financial protection is good old Anti-Virus. This is what protects your money from the most dangerous threat: malware, in particular, so-called stealers, which, after infecting the target device, look for passwords and private keys to cryptocurrency wallets stored on it, then send them straight to the cyberthieves.

Another common threat directly related to finances that File Anti-Virus guards against is banking Trojans. These are viruses that overlay a banking app’s interface with its own and can’t only steal passwords but also intercept one-time confirmation codes, as well as substitute details and amounts of transfers and payments, allowing the cybercriminals to siphon off money.

These two threats alone are reason enough for you to install reliable protection on all devices you use for financial transactions. There are plenty of other dangers that Anti-Virus also protects against, such as ransomware Trojans and spyware to name just a couple.

4. Safe Browsing

Note that it might not be your computer or smartphone that’s infected with malware, but the server you’re interacting with. The first threat to worry about in this scenario would be online skimmers — malware that scammers install on hacked online stores in order to harvest customers’ bank card details.

Web skimmers have become very popular with cybercriminals of late — every year, tens of thousands of online stores are found to be infected with malware of this kind. Often, the owners of compromised stores are either unaware of the infection or take no action to neutralize a threat, so a web skimmer might remain active on an infected site for months. In practical terms, this means that even if you personally have been careful and your devices are all clean, you can still fall victim to cybercriminals simply by interacting with an infected website.

Fortunately, we also have a solution to protect you from web skimmers and other threats: Safe Browsing scans the pages loaded by your browser for malicious code and, if detected, warns you that the site is unsafe.

5. Anti-Phishing and Fraud Prevention

There’s no way we can skip over fake and fraudulent websites, which affect a huge number of internet users every year. These can be cloned sites mimicking banks, payment systems, crypto exchanges, or other financial services that trick visitors out of their credentials and then hijack their accounts.

They can also be online scams promising large payouts in exchange for a small commission, fake online stores with tempting prices that never deliver your purchase, or other types of online fraud.

The problem is that sites of this kind usually don’t directly contain any malicious code. To effectively protect against such threats, our experts work day and night to keep our database of phishing and fraudulent sites up to date. As a result, our solutions give you a heads-up in good time whenever danger is near.

Bear in mind, however, that Google Play is home to more than three million unique apps, most of which get updated regularly, and to vet all of them thoroughly — that is, really thoroughly — is beyond the resources of even one of the world’s largest corporations.

Well aware of this, makers of malicious apps have developed a number of techniques to sneak their creations onto Google Play. In this post, we take a look at the most headline-grabbing cases of 2023 regarding malicious apps on the official Android store, with total downloads in excess of — wait for it — 600 million. Let’s go!…

50,000 downloads: infected iRecorder app eavesdrops on users

Let’s start with the fairly minor, but quite interesting and highly illustrative case of iRecorder. This unremarkable screen-recording app for Android smartphones was uploaded to Google Play in September 2021.

But then, in August 2022, its developers added some malicious functionality: code from the remote access Trojan AhMyth, which caused the smartphones of all users who had installed the app to record sound from the microphone every 15 minutes and send it to the server of the app creators. By the time researchers discovered the malware in May 2023, the iRecorder app had been downloaded more than 50,000 times.

This example demonstrates one of the ways in which malicious apps creep into Google Play. First, cybercriminals upload an innocuous app to the store that’s guaranteed to sail through all moderation checks. Then, when the app has built an audience and some kind of reputation (which can take months or even years), it’s augmented with malicious functionality in its next update uploaded to Google Play.

620,000 downloads: Fleckpe subscription Trojan

Also in May 2023, our experts found several apps on Google Play infected with the Fleckpe subscription Trojan. By that time, they’d already chalked up 620,000 installs. Interestingly, these apps were uploaded by different developers. And this is another common tactic: cybercriminals create numerous developer accounts in the store so that even if some get blocked by the moderators they can just upload a similar app to another account.

Apps on Google Play infected with the Fleckpe subscription Trojan

When the infected app was run, the main malicious payload was downloaded to the victim’s smartphone, after which the Trojan connected to the command-and-control server and transferred country and cellular operator information. Based on this information, the server provided instructions on how to proceed. Fleckpe then opened web pages with paid subscriptions in a browser window invisible to the user, and by intercepting confirmation codes from incoming notifications subscribed the user to needless services paid for through the cellular operator account.

1.5 million downloads: Chinese spyware

In July 2023, Google Play was found to be hosting two file managers — one with one million downloads, the other with half a million. Despite the developers’ assurances that the apps don’t collect any data, researchers found that both transmitted a lot of user information to servers in China, including contacts, real-time geolocation, data about the smartphone model and cellular network, photos, audio and video files, and more.

File managers on Google Play with Chinese spyware inside. Source

To avoid being uninstalled by the user, the infected apps hid their desktop icons — another common tactic used by mobile malware creators.

2.5 million downloads: background adware

In a recent case of malware detection on Google Play in August 2023, researchers found as many as 43 apps — including, among others, TV/DMB Player, Music Downloader, News, and Calendar — that secretly loaded ads when the user’s smartphone screen was off.

Some of the apps with hidden adware. Source

So as to be able to carry out their business in the background, the apps requested the user to add them to the list of power-saving exclusions. Naturally, affected users experienced reduced battery life. These apps had a combined total of 2.5 million downloads, and the target audience was primarily Korean.

20 million downloads: scammy apps promise rewards

A study published in early 2023 revealed several shady apps on Google Play with more than 20 million downloads between them. Positioning themselves primarily as health trackers, they promised users cash rewards for walking and other activities, as well as for viewing ads or installing other apps.

Apps on Google Play promising rewards for walking and viewing ads. Source

More precisely, the user was awarded points for these actions, which could then supposedly be converted into real money. The only trouble was that to get a reward, you had to amass such a huge number of points that it was effectively impossible.

35 million downloads: Minecraft clones with adware inside

Google Play also became home to malicious games this year, with the main culprit (and not for the first time) being Minecraft — still one of the most popular titles in the world. In April 2023, 38 Minecraft clones were detected in the official Android store, with a total of 35 million downloads. Hidden inside these apps was adware called, appropriately enough, HiddenAds.

Block Box Master Diamond — the most popular of the Minecraft clones infected by HiddenAds. Source

When the infected apps were launched, they “displayed” hidden ads without the user’s knowledge. That didn’t pose a serious threat per se, but such behavior could have affect device performance and battery life.

And those infected apps could always be followed up later by a far less harmless monetization scheme. This is another standard tactic of Android malware app creators: they readily switch between different types of malicious activity depending on what’s profitable at any given moment.

100 million downloads: data harvesting and click fraud

Also in April 2023, another 60 apps were found on Google Play infected with adware that researchers dubbed Goldoson. These apps collectively had more than 100 million downloads on Google Play and a further eight million on the popular Korean ONE store.

This malware also “showed” hidden ads by opening web pages within the app in the background. In addition, the malicious apps collected user data — including information about installed apps, geolocation, addresses of devices connected to the smartphone via Wi-Fi and Bluetooth, and more.

Goldoson seems to have gotten into all these apps along with an infected library used by many legitimate developers that were simply unaware that it contained malicious functionality. And this isn’t an uncommon occurrence: often malware creators don’t develop and publish apps on Google Play themselves, but instead create infected libraries of this kind that end up in the store along with other developers’ apps.

451 million downloads: mini-game ads and data harvesting

We close with the biggest case of the year: in May 2023, a team of researchers found a whopping 101 ineligible apps on Google Play, with combined downloads of 421 million. Lurking inside each and every one of them was a SpinOk code library.

Shortly after that, another team of researchers discovered 92 more apps on Google Play with the same SpinOk library, with a slightly more modest number of downloads — 30 million. In all almost 200 apps containing SpinOK code were found, with a total of 451 million downloads from Google Play between them. This is another case where dangerous code was delivered into applications from a third-party library.

Mini-games promising “rewards” that showed users applications containing SpinOk code. Source

On the surface, the infected apps’ task was to display intrusive mini-games promising cash rewards. But that wasn’t all: the SpinOK library had the ability to collect and send user data and files to its developers’ command-and-control server in the background.

How to guard against malware on Google Play

Of course, we haven’t covered all the cases of malicious apps getting onto Google Play in 2023 — only the most eye-catching. The main takeaway from this post is this: malware on Google Play is far more common than any of us would like to think — infected apps have a combined download total in excess of half a billion!

Nevertheless, official stores remain by far the safest sources. Downloading apps elsewhere is far more dangerous, for which reason we strongly advise against it. But you must exercise caution in official stores as well:

• Every time you download a new app, carefully check its page in the store to make sure it’s genuine. Pay particular attention to the name of the developer. It’s not unusual for cybercriminals to clone popular apps and place them on Google Play under similar names, icons, and descriptions to lure users.
• Don’t be guided by the app’s overall rating, since this is easy to inflate. Rave reviews are also no trouble to fake. Instead, focus on negative reviews with low ratings — that’s where you can usually find a description of all the problems with the app.
• Make sure to install a reliable protection on all your Android devices, which gives an advance warning if a Trojan tries to sneak onto your smartphone or tablet.
• In the free version of our Kaspersky: Antivirus & VPN application, remember to manually run a device scan from time to time, and be sure to perform an antivirus scan after installing any new app and before launching it for the first time.
• In the paid version of our protection suite — which, incidentally, is included in a subscription to Kaspersky Standard, Kaspersky Plus or Kaspersky Premium — scanning is performed automatically, keeping you safe from infected apps.