Facebook ran ads for a fake ‘Clubhouse for PC’ app planted with malware

Cybercriminals have taken out a number of Facebook ads masquerading as a Clubhouse app for PC users in order to target unsuspecting victims with malware, TechCrunch has learned.

TechCrunch was alerted Wednesday to Facebook ads tied to several Facebook pages impersonating Clubhouse, the drop-in audio chat app only available on iPhones. Clicking on the ad would open a fake Clubhouse website, including a mocked-up screenshot of what the non-existent PC app looks like, with a download link to the malicious app.

When opened, the malicious app tries to communicate with a command and control server to obtain instructions on what to do next. One sandbox analysis of the malware showed the malicious app tried to infect the isolated machine with ransomware.

But overnight, the fake Clubhouse websites — which were hosted in Russia — went offline. In doing so, the malware also stopped working. Guardicore’s Amit Serper, who tested the malware in a sandbox on Thursday, said the malware received an error from the server and did nothing more.

The fake website was set up to look like Clubhouse’s real website, but featuring a malicious PC app. (Image: TechCrunch)

It’s not uncommon for cybercriminals to tailor their malware campaigns to piggyback off the successes of wildly popular apps. Clubhouse reportedly topped more than 8 million global downloads to date despite an invite-only launch. That high demand prompted a scramble to reverse-engineer the app to build bootleg versions of it to evade Clubhouse’s gated walls, but also government censors where the app is blocked.

Each of the Facebook pages impersonating Clubhouse only had a handful of likes, but were still active at the time of publication. When reached, Facebook wouldn’t say how many account owners had clicked on the ads pointing to the fake Clubhouse websites.

At least nine ads were placed this week between Tuesday and Thursday. Several of the ads said Clubhouse “is now available for PC,” while another featured a photo of co-founders Paul Davidson and Rohan Seth. Clubhouse did not return a request for comment.

The ads have been removed from Facebook’s Ad Library, but we have published a copy. It’s also not clear how the ads made it through Facebook’s processes in the first place.

Apple adds two brand new Siri voices and will no longer default to a female voice in latest iOS

Apple is adding two new voices to Siri’s English offerings, and eliminating the default ‘female voice’ selection in the latest beta version of iOS. This means that every person setting up Siri will choose a voice for themselves and it will no longer default to the voice assistant being female, a topic that has come up quite a bit with regards to bias in voice interfaces over the past few years.

The beta version should be live now and available to program participants.

I believe that this is the first of these assistants to make the choice completely agnostic with no default selection made. This is a positive step forward as it allows people to choose the voice that they prefer without the defaults bias coming into play. The two new voices also bring some much needed variety to the voices of Siri, offering more diversity in speech sound and pattern to a user picking a voice that speaks to them.

“We’re excited to introduce two new Siri voices for English speakers and the option for Siri users to select the voice they want when they set up their device,” a statement from Apple reads. “This is a continuation of Apple’s long-standing commitment to diversity and inclusion, and products and services that are designed to better reflect the diversity of the world we live in.”

The two new voices use source talent recordings that are then run through Apple’s Neural text to speech engine, making the voices flow more organically through phrases that are actually being generated on the fly.

I’ve heard the new voices and they sound pretty fantastic, with natural inflection and smooth transitions. They’ll be a welcome addition of choice to iOS users. I’ll embed some samples here after the beta drops.

This latest beta also upgrades the Siri voices in Ireland, Russia and Italy to Neural TTS, bringing the total voices using the new tech to 38. Siri now handles 25 billion requests on over 500M voices and supports 21 languages in 36 countries.

The new voices are available to English speaking users around the world and Siri users can select a personal preference of voice in 16 languages.

It seems very likely that these two new voices are just the first expansion in Siri’s voice selections. More diversity in voice, tone and regional dialect can only be a positive development for how inclusive smart devices feel. Over the past few years we have finally begun to see some movement from Amazon, Google and Apple to aggressively correct situations where the assistants have revealed bias in their responses to queries that use negative or abusive language. Improvements there, as well as in queries on social justice topics and overall accessibility improvements are incredibly key as we continue to see an explosion of voice-first or voice-native interfaces. These kinds of choices matter, especially at a scale of hundreds of millions of people.

America’s small businesses face the brunt of China’s Exchange server hacks

As the U.S. reportedly readies for retaliation against Russia for hacking into some of the government’s most sensitive federal networks, the U.S. is facing another old adversary in cyberspace: China.

Microsoft last week revealed a new hacking group it calls Hafnium, which operates in, and is backed by, China. Hafnium used four previously unreported vulnerabilities — or zero-days — to break into at least tens of thousands of organizations running vulnerable Microsoft Exchange email servers and steal email mailboxes and address books.

It’s not clear what Hafnium’s motives are. Some liken the activity to espionage — a nation-state gathering intelligence or industrial secrets from larger corporations and governments.

But what makes this particular hacking campaign so damaging is not only the ease with which the flaws can be exploited, but also how many — and how widespread — the victims are.

Security experts say the hackers automated their attacks by scanning the internet for vulnerable servers, hitting a broad range of targets and industries — law firms and policy think tanks, but also defense contractors and infectious disease researchers. Schools, religious institutions, and local governments are among the victims running vulnerable Exchange email servers and caught up by the Hafnium attacks.

While Microsoft has published patches, the U.S. federal cybersecurity advisory agency CISA said the patches only fix the vulnerabilities — and won’t close any backdoors left behind by the hackers.

There is little doubt that larger, well-resourced organizations have a better shot at investigating if their systems were compromised, allowing those victims to prevent further infections, like destructive malware or ransomware.

But that leaves the smaller, rural victims largely on their own to investigate if their networks were breached.

“The types of victims we have seen are quite diverse, many of whom outsource technical support to local IT providers whose expertise is in deploying and managing IT systems, not responding to cyber threats,” said Matthew Meltzer, a security analyst at Volexity, a cybersecurity firm that helped to identify Hafnium.

Without the budget for cybersecurity, victims can always assume they are compromised – but that doesn’t equate to knowing what to do next. Patching the flaws is just one part of the recovery effort. Cleaning up after the hackers will be the most challenging part for smaller businesses that may lack the cybersecurity expertise.

It’s also a race against the clock to prevent other malicious hackers from discovering or using the same vulnerabilities to spread ransomware or launch destructive attacks. Both Red Canary and Huntress said they believe hacking groups beyond Hafnium are exploiting the same vulnerabilities. ESET said at least ten groups were also exploiting the same server flaws.

Katie Nickels, director of intelligence at threat detection firm Red Canary, said there is “clearly widespread activity” exploiting these Exchange server vulnerabilities, but that the number of servers exploited further has been fewer.

“Cleaning up the initial web shells will be much easier for the average IT administrator than it would be to investigate follow-on activity,” said Nickels.

Microsoft has published guidance on what administrators can do, and CISA has both advice and a tool that helps to search server logs for evidence of a compromise. And in a rare statement, the White House’s National Security Council warned that patching alone “is not remediation,” and urged businesses to “take immediate measures.”

How that advice trickles down to smaller businesses will be watched carefully.

Cybersecurity expert Runa Sandvik said many victims, including the mom-and-pop shops, may not even know they are affected, and even if they realize they are, they’ll need step-by-step guidance on what to do next.

“Defending against a threat like this is one thing, but investigating a potential breach and evicting the actor is a larger challenge,” said Sandvik. “Companies have people who can install patches — that’s the first step — but figuring out if you’ve been breached requires time, tools, and logs.”

Security experts say Hafnium primarily targets U.S. businesses, but that the attacks are global. Europe’s banking authority is one of the largest organizations to confirm its Exchange email servers were compromised by the attack.

Norway’s national security authority said that it has “already seen exploitation of these vulnerabilities” in the country and that it would scan for vulnerable servers across Norway’s internet space to notify their owners. Slovenia’s cybersecurity response unit, known as SI-CERT, said in a tweet that it too had notified potential victims in its internet space.

Sandvik said the U.S. government and private sector could do more to better coordinate the response, given the broad reach into U.S. businesses. CISA proposed new powers in 2019 to allow the agency to subpoena internet providers to identify the owners of vulnerable and unpatched systems. The agency just received those new powers in the government’s annual defense bill in December.

“Someone needs to own it,” said Sandvik.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

SolarWinds hackers targeted NASA, Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies.

The two agencies were named by the Washington Post on Tuesday, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack, which the previous Trump administration said was “likely Russian in origin.”

Spokespeople for the agencies did not immediately respond to a request for comment, but did not deny the breach in remarks to the Post.

It’s believed NASA and the FAA are the two remaining unnamed agencies of the nine government agencies confirmed to have been breached by the attack. The other seven include the Departments of Commerce, Energy, Homeland Security, Justice, and State, the Treasury, and the National Institutes of Health, though it’s not believed the attackers breached their classified networks.

FireEye, Microsoft, and Malwarebytes were among a number of cybersecurity companies also breached as part of the attacks.

The Biden administration is reportedly preparing sanctions against Russia, in large part because of the hacking campaign, the Post also reported.

The attacks were discovered last year after FireEye raised the alarm about the hacking campaign after its own network was breached. Each victim was a customer of the U.S. software firm SolarWinds, whose network management tools are used across the federal government and Fortune 500 companies. The hackers broke into SolarWinds’ network, planted a backdoor in its software, and pushed the backdoor to customer networks with a tainted software update.

It wasn’t the only way in. The hackers are also said to have targeted other companies by breaking into other devices and appliances on their victims’ networks, as well as targeting Microsoft vendors to breach other customers’ networks.

Last week, Anne Neuberger, the former NSA cybersecurity director who last month was elevated to the White House’s National Security Council to serve as the deputy national security adviser for cyber and emerging technology, said that the attack took “months to plan and execute,” and will “take us some time to uncover this layer by layer.”

TikTok emerges as a political battleground in Navalny-stirred Russia

TikTok has crafted a number of policies over the years to distance itself from the often-messy political fray, but its users continue to have other agendas in mind.

In Russia, a tug-of-war has emerged on the social network.

On one side are young people using the app to create videos in support of free speech, rallying the public against the government and its treatment of Alexander Navalny, the anti-Putin, anti-corruption politician and activist.

On the other is a government that has quickly versed itself in the art of video messaging — tapping and allegedly paying influencers to dissuade the masses from joining them.

Navalny’s long-term battle with Putin’s government has included political run-ins, imprisonments and a poisoning (with an evacuation to Germany to heal), followed by a return to Russia, subsequent arrest and conviction for violating a previous parole.

Through all of that, Navalny has taken on the mantle of anti-authoritarian hero. With many already unhappy about how the government is handling a weak economy and COVID-19 — a situation that has shaken (but, apparently, not completely toppled) government approval ratings — Navalny’s call for mass protests has been met with a strong response.

And as those protests unfold, TikTok is shaping up to be the scrappy social media analogue of that activity — not unlike the prominent role that Twitter took on during the Arab Spring.

“Political content is not typical for Russian TikTok,’’ said food blogger Egor Khodasevich, whose @kushat_hochu account has 1.2 million followers on the app. “Before Navalny’s return, Russian TikTok was all about dancing, pranks and post-Soviet trash aesthetics. All of a sudden, political videos have started to appear across all categories — humour, beauty, sport.’’

Now, in a significant turnaround, Russian content on the app is being flooded with catchy videos of teenagers cutting their passports in half and throwing them away, pupils taking down portraits of Putin and swapping them with those of Navalny, and others creating how-to’s for would-be protestors — advising them to wear warm clothes, to equip themselves with water and power banks and, if arrested, to pretend they are foreign.

@almorozova#навальный #свободунавальному быть против власти – не значит быть против Родины♬ оригинальный звук – новый год кончился…

These are pooling around hashtags like #23января (January 23, the date of one of the biggest protests so far) and #занавального (“For Navalny”).

The wave of videos even got shout-outs from Navalny himself — fittingly, not on TikTok, but Instagram, where he praised the TikTok activists for helping get the word and the crowds out.

“Respect to the schoolchildren who, according to my lawyer, caused a frenzy on TikTok,” he noted on one post. Later he poked fun at how the TikTok protest videos were described as “fakes” planted by dastardly Americans.

Russia as a country has a small but fast-growing and vocal group of TikTok users.

Figures provided to us from SensorTower estimate that of the more than 2.66 billion times to date globally that TikTok has been downloaded (a figure that includes its Chinese version Douyin), it has been installed about 93.6 million times in Russia (figures that don’t count third-party Android stores, direct downloads or sideloads).

A report in the Moscow Times from the end of December estimates that there are around 20 million active users in the country, more than double the 8 million it had at the end of 2019. TikTok itself does not disclose current MAUs in Russia or globally, but analysts have projected that the company is on track to pass 1 billion MAUs sometime in the early part of this year.

Even with those sub-100 million numbers, videos with the Navalny hashtag have passed 1 billion views on the platform (as of the time of publishing, the number of views has passed 1.6 billion).

The Empire Strikes Back…

But Russia is nothing if not persistent when it comes to being ahead of the game in tech, and it has been harnessing the media world in a couple of ways in aid of its own ends.

State television and other state media outlets strongly encouraged people to stay away from protests, citing issues like public safety, the spread of Covid-19, and the threat of arrest (one they followed through on: authorities have carried out controversial mass arrests of hundreds of people at these gatherings).

At the same time, attention turned to social media, and in particular TikTok.

Roskomnadzor first confirmed that it would fine all major social media platforms up to 4 million rubles ($54,000) over protest-related content, citing that “these Internet platforms failed to remove a total of 170 illegal appeals in a timely manner.”

It then followed that up with an order to the management teams of TikTok, Facebook, Telegram and Vkontakte to appear at the regulators’ offices to explain why they have not yet removed offending videos, reminding them that failure to comply will mean that fines will be increased to 10% of a company’s annual revenues, dangling the threat that non-compliance could mean services get blocked.

With TikTokers claiming they were being called in by the police after their videos were taken down, TikTok more directly started to get threatened with fines by the regulator in the wake of all this.

As with previous moves to censor online platforms, investigators explained their actions as a response to societal impact. In this case, regulators described protest videos as a coordinated criminal attempt to get minors to commit illegal acts that could endanger their safety.

In addition to all that, the state appeared to take on a guerilla approach, too.

Small accounts, newly created accounts and popular bloggers slowly all started posting videos persuading people away from the protests. These videos, in Russian, warn of the dangers of protesting.

It turns out that at least some of the people posting videos were quietly getting paid. Sums ranged from 2,000 rubles, or about $25, through to 5,000 rubles, according to one TikToker who declined the offer and posted the proposal on TikTok instead.

(Those figures may not sound very high, but they can still be welcome sums for young people in a country where the average salary as of 2019 is around $718 per month.)

It hasn’t taken long for the situation to get unmasked. Several videos criticizing protests have been removed in the last week. It’s unclear whether TikTok — which declined to comment for this article — or the original creators removed them.

But in one case, a TikToker who goes by the name @golyakov_ (741,000 followers) initially posted a stream of reasons why protesting was dangerous. He then later admitted to getting paid but claimed to believe in what he was saying (perhaps one reason why the video has stayed up?).

Startok, one of the agencies that represents social media influencers, confirmed to us that it has cut ties with two of the creators who had taken payments to make videos in support of the state.

TikTok’s immediate connection and current popularity with younger adults has made  it unique in the social media pantheon. However, it wasn’t the only social media platform seeing anti-Navalny activity — both in terms of messaging, and entities soliciting posts for payments.

A Navalny assistant posted this thread on Twitter of Stories from Instagram casting doubt on Navalny’s decision to return to Russia as a publicity stunt, knowing he would be arrested.

Meanwhile, Boris Kantorovich, a sales director of social media agency Avtorskiye Media who has used Twitter to post about people getting detained, noted that he also came across briefs on Telegram chat ADvizer.me, as well as in a Facebook group that required bloggers to create a video with one or two talking points. He said included “protesters provoked the police at the rally,” “we are tired of Navalny” and “we want peace and quiet.”

When Kantorovich posed as one of the TikTokers that he represents, he received a brief for a 15-second video. “After a quick negotiation I hiked the price up from 2,000 rubles to 3,500 rubles,” he said.

Further creative briefs came with the guidance that they needed to condemn protests on 31 January and 2 February, the second being the date of Navalny’s trial.

“Bloggers should say that ‘Navalny will go to jail 100%’, he is ‘funded from the West’ and ‘his recent imprisonment is legal,” Kantorovich said.

Kantorovich added that authorities didn’t reach out to his agency Avtorskiye Media to advertise with the bloggers it works with: “We clearly mark all ads but authorities don’t like it, because they are trying to create an illusion of a public opinion,” he said.

Similar information was shared by Anatoly Kapustin with the “Picture” advertising agency.

Kapustin, speaking in an interview on non-State-owned Russian TV station Rain, named the “public organization for youth affairs” as an advertiser.

“Talking points on offer were: ‘criminal charges could be brought against protesters,’ ‘you might end up in jail and then not find well-paid jobs,’ and ‘Navalny’s children are studying in America,’” he said in the interview.

In some cases, the virality tricks that TikTok is known for have been used by protestors to turn some of those pro-government campaigns around.

After a wave of people created videos based on the same clip of music that repeats in a deep voice that TikTok is not a place for politics, it’s a place for [fill in a fun and non-political activity/video here] — the audio and hashtag were hijacked by protestors seeking to encourage people to embrace free speech and not silence their voices.

TikTok declined to comment for this story, but in general the company has made it a policy not to wade into partisan politics, or to make a space for political advertising, turning its platform into a commercial opportunity to get political points across.

It declined to comment on whether it was taking down videos that might be reported as possible paid advertising by viewers, nor would it comment on whether it had responded to any government requests to remove videos. It periodically publishes transparency reports where some of that detail, and its subsequent actions, can be found, after the fact. (It judges each request individually.)

One thing that the Navalny situation has exposed is that there is a strong appetite among younger people to be more politically engaged, and for the moment, TikTok is emerging as their preferred place to do that.

Khodasevich, the food blogger, thinks TikTok can replace Twitter as a platform of choice for the opposition in Russia.

“Thanks to its clever algorithms, TikTok can show your video to a bigger audience than YouTube or Instagram, even if you don’t pay for promotion,” he said in an interview. “TikTok representatives told me political videos without direct calls for protests will not get banned.’’

It means that, with a bit of creativity — and a very heavy dose of opportunism and cynicism — both sides might still be able push forward with their political agenda. Boris Kantorovitch agrees.

“Authorities will change their strategy and become more subtle,” he said. “They acted in haste. Probably they thought of TikTok as a good breeding ground for loyalists. Now, the only way to stop people talking about politics on TikTok is by banning access to this platform.’’

Or, if you can’t beat them, join them? The last few days have seen government organizations the Ministry of Foreign Affairs and the Ministry of Emergency Situations joining the platform to give the public a glimpse into how they, too, can roll with it.

@mchs.russiaВы только посмотрите, что могут наши сотрудники! Отправляйте свою реакцию в комментариях!Спасибо за предоставленное видео @@anatoly.doletsky♬ оригинальный звук – МЧС России

Some of the content is not exactly subtle — the Foreign Affairs almost immediately used its new account to post a TikTok discrediting Navaly — but more generally, these are signs that the government is all too aware of the impact the platform is having to galvanize people against it, and it’s trying various things to fight that.

So did TikTok really manage to bring a considerable number of young people to rallies? Are we witnessing a birth of a new protest movement or yet another example of one click activism?

According to a poll conducted on 23 January by TV Rain in Moscow, 44% percent of protesters took to the streets for the first time ever. Only 10% of respondents were under the age of 18, with an average age of protesters hovering around 31 years old, showing an overlap with the audience using TikTok in the country.

Other major movements (such as last year’s run of BLM activism) point to 18-34 being the biggest age demographic among protestors (albeit, worth noting strong participation among other ages, too). With that in mind, it seems that both authorities and opposition in Russia will try to use the social media platforms most popular among that age group to recruit their new foot soldiers.

Of course, as with everything on social media, Khodasevich added, it’s sometimes hard to figure out everyone’s actual agenda. Some political posts are genuine, some could be attributed to “news jacking.” But ultimately, they are sparking a lot of attention that the government is now mobilizing to counteract.

And with another critical Navalny hearing coming up on February 15th, as well as the September 2021 state Duma elections being only months away, the stakes are high for whatever political battles come next.

Tesla’s Bitcoin investment could be bad for the company’s climate reputation and its bottom line

Tesla’s $1.5 billion investment in Bitcoin may be good for Elon Musk, but it’s definitely risky for the company that made him the world’s richest man, according to investors, analysts and money managers at some of the country’s largest banks.

As a standard bearer for the consumer electric vehicle industry and the broader climate tech movement rallying around it, Tesla’s bet to go all in on crypto could damage its climate bonafides and its reputation with customers even as other automakers pour in to the EV market.

Given Bitcoin’s current environmental footprint, the deal flies in the face of Tesla’s purported interest in moving the world to cleaner sources of energy and commerce.

Until the energy grid decarbonizes in places like Russia and China, mining bitcoin remains a pretty dirty business (from an energy perspective), according to some energy investors who declined to be identified because they were not authorized to speak about Musk’s plans.

We were talking about people doing this in Russia back in 2018 and how they were tapping coal power to run their mining operations,” one investor said. “The cost per transaction from an energy intensity standpoint has only gotten more intense. I don’t see how those things coalesce, climate and crypto.”

The stake makes Tesla one of the largest corporate hodlers of Bitcoin but represents a massive portion of the company’s $19 billion in cash and cash equivalents on hand.

“Given the size of their treasury it feels irresponsible, IMO,” wrote one investor whose firm backed Tesla from its earliest days. The company’s move could be seen as another example of the absurdity of U.S. capital markets in today’s investment climate — and the underlying cynicism of some of its biggest beneficiaries.

Industry observers on Wall Street also criticized the company’s big bet on Bitcoin.

“Tesla buying $1.5 billion in BTC is interesting. Am assuming they haven’t hedged it, so they will either be cash rich in the future or have a hole in the balance sheet. Elon Musk stays wild,” wrote one capital planning executive at a major Wall Street bank who declined to be identified because they were not authorized to speak to the press. “[It’s] not dissimilar from a large company throwing cash into a wildly volatile emerging market currency.”

Still, in the short term, the deal is showing dividends. The price of Bitcoin has risen nearly $8,000, or 18.73%, over the course of the day since Tesla made its announcement. The question is whether any regulator will step in to punish Musk and Tesla.

Musk has been tweeting his support for Bitcoin and other, more arcane (or useless) cryptocurrencies like Dogecoin for the past several weeks, in what seems to be a violation of his agreement with the Securities and Exchange Commission.

The world’s richest man has previously been fined by regulatory agencies for his tweeting habits. Back in 2018, the SEC charged Musk with fraud for tweets about privatizing the electric vehicle company at $420 per share.

Musk eventually settled with the SEC, at the price of his role as chairman of Tesla’s board and a $20 million personal fine — with Tesla paying out another $20 million to the SEC.

The volatility of the cryptocurrency could impact more than just Tesla’s bottom line, but also hit its customers should they use the currency to buy cars.

“Bitcoin jumped over 15% to a new high of $44,000 on Monday. This sort of hype-based price power should be worrying to investors and consumers alike – especially if this is to be used as medium of exchange,” wrote GlobalData analyst Danyaal Rashid, Head of Thematic Research at GlobalData.

“If Elon Musk can help dictate the price of this asset with a tweet or large order, the same could happen to send the price back down. The task of purchasing a vehicle should not be speculative. Consumers who may have thought of buying bitcoin to use as a substitute for fiat – could very easily end up with more or less than they bargained for.”

 

Decrypted: With more SolarWinds fallout, Biden picks his cybersecurity team

All change in the capital as the Biden administration takes charge, and thankfully without a hitch (or violence) after the attempted insurrection two weeks earlier.

In this week’s Decrypted, we look at the ongoing fallout from the SolarWinds breach and who the incoming president wants to lead the path to recovery. Plus, the news in brief.


THE BIG PICTURE

Google says SolarWinds exposure “limited,” more breaches confirmed

The cyberattack against SolarWinds, an ongoing espionage campaign already blamed on Russia, claimed the U.S. Bureau of Labor Statistics as another federal victim this week. The attack also hit cybersecurity company Malwarebytes, the company’s chief executive confirmed. Marcin Kleczynski said in a blog post that attackers gained access to a “limited” number of internal company emails. It was the same attackers as SolarWinds but using a different intrusion route. It’s now the third security company known to have been targeted by the same Russian hackers after a successful intrusion at FireEye and an unsuccessful attempt at CrowdStrike.

App stores saw record 218 billion downloads in 2020, consumer spend of $143 billion

Mobile adoption continued to grow in 2020, in part due to the market forces of the COVID-19 pandemic. According to App Annie’s annual “State of Mobile” industry report, mobile app downloads grew by 7% year-over-year to a record 218 billion in 2020. Meanwhile, consumer spending grew by 20% to also hit a new milestone of $143 billion, led by markets that included China, the United States, Japan, South Korea and the United Kingdom.

Consumers also spent 3.5 trillion minutes using apps on Android devices alone, the report found.

In another shift, app usage in the U.S. surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours on their mobile device.

The increase in time spent is a trend that’s not unique to the U.S., but can be seen across several other countries, including both developing mobile markets like Indonesia, Brazil and India, as well as places like China, Japan, South Korea, the U.K., Germany, France and others.

The trend isn’t isolated to any one demographic, either, but is seen across age groups. In the U.S., for example, Gen Z, millennials and Gen X/Baby Boomers spent 16%, 18% and 30% more time in their most-used apps year-over-year, respectively. However, what those favorite apps looked like was very different.

For Gen Z in the U.S., top apps on Android phones included Snapchat, Twitch, TikTok, Roblox and Spotify.

Millennials favored Discord, LinkedIn, PayPal, Pandora and Amazon Music.

And Gen X/Baby Boomers used Ring, Nextdoor, The Weather Channel, Kindle and ColorNote Notepad Notes.

The pandemic didn’t necessarily change how consumers were using apps in 2020, but rather accelerated mobile adoption by two to three years’ time, the report found.

Investors were also eager to fuel mobile businesses as a result, pouring $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year. According to Crunchbase data, 26% of total global funding dollars in 2020 went to businesses that included a mobile solution.

From 2016 to 2020, global funding to mobile technology companies more than doubled compared with the previous five years, and was led by financial services, transportation, commerce and shopping.

Mobile gaming adoption also continued to grow in 2020. Casual games dominated the market in terms of downloads (78%), but Core games accounted for 66% of games’ consumer spend and 55% of the time spent.

With many stuck inside due to COVID-19 lockdowns and quarantines, mobile games that offered social interaction boomed. Among Us, for example, became a breakout game in several markets in 2020, including the U.S.

Other app categories saw sizable increases over the past year, as well.

Time spent in Finance apps in 2020 was up 45% worldwide, outside of China, and participation in the stock market grew 55% on mobile, thanks to apps like Robinhood in the U.S. and others worldwide, that democratized investing and trading.

TikTok had a big year, too.

The app saw incredible 325% year-over-year growth, despite a ban in India, and ranked in the top five apps by time spent. The average monthly time spent per user also grew faster than nearly every other app analyzed, including 65% in the U.S. and 80% in the U.K., surpassing Facebook. TikTok is now on track to hit 1.2 billion active users in 2021, App Annie forecasts.

Other video services boomed in 2020, thanks to a combination of new market entrants and a lot of time spent at home. Consumers spent 40% more hours streaming on mobile devices, with time spent in streaming apps peaking in the second quarter in the west as the pandemic forced people inside.

YouTube benefitted from this trend, as it became the No. 1 streaming app by time spent among all markets analyzed except China. The time spent in YouTube is up to 6x that of the next closet app at 38 hours per month.

Of course, another big story for 2020 was the rise of e-commerce amid the pandemic. This made the past year the biggest ever for mobile shopping, with an over 30% increase in time spent in Shopping apps, as measured on Android phones outside of China.

Mobile commerce, however, looked less traditional in 2020.

Social shopping was a big trend, with global downloads of Pinterest and Instagram growing 50% and 20% year-over-year, respectively.

Livestreaming shopping grew, too, led by China. Downloads of live shopping TaoBao Live in China, Grip in South Korea and NTWRK in the U.S. grew 100%, 245% and 85%, respectively. NTWRK doubled in size last year, and now others are entering the space as well — including TikTok, to some extent.

The pandemic also prompted increased usage of mobile ordering apps. In the U.S., Argentina, the U.K., Indonesia and Russia, the app grew by 60%, 65%, 70%, 80% and 105%, respectively, in Q4.

Business apps, like Zoom and Google Meet among others, grew 275% in Q4, for example, as remote work and sometimes school, continued.

The analysis additionally included lists of the top apps by downloads, spending and monthly active users (MAUs).

Although TikTok had been topping year-end charts, Facebook continued to beat it in terms of MAUs. Facebook-owned apps controlled the top charts by MAUs, with Facebook at No. 1 followed by WhatsApp, Messenger and Instagram.

TikTok, however, had more downloads than Facebook and ranked No. 2 by consumer spending, behind Tinder.

The full report is available only as an online interactive experience this year, not a download. The report largely uses data from both the iOS App Store and Google Play, except where otherwise noted.

Chris Krebs and Alex Stamos have started a cyber consulting firm

Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds .

The two have been hired as consultants to help the Texas-based software maker recover from a devastating breach by suspected Russian hackers, which used the company’s software to set backdoors in thousands of organizations and to infiltrate at least 10 U.S. federal agencies and several Fortune 500 businesses.

At least the Treasury, State and the Department of Energy have been confirmed breached, in what has been described as likely the most significant espionage campaign against the U.S. government in years. And while the U.S. government has already pinned the blame on Russia, the scale of the intrusions are not likely to be known for some time.

Krebs was one of the most senior cybersecurity officials in the U.S. government, most recently serving as the director of Homeland Security’s CISA cybersecurity advisory agency from 2018, until he was fired by President Trump for his efforts to debunk false election claims — many of which came from the president himself. Stamos, meanwhile, joined the Stanford Internet Observatory after holding senior cybersecurity positions at Facebook and Yahoo. He also consulted for Zoom amid a spate of security problems.

In an interview with the Financial Times, which broke the story, Krebs said it could take years before the hackers are ejected from infiltrated systems.

SolarWinds chief executive Sudhakar Ramakrishna acknowledged in a blog post that it had brought on the consultants to help the embattled company to be “transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements.”

After the FireEye and SolarWinds breaches, what’s your failsafe?

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend to turn a compromise into a meaningful breach. We’ve heard FireEye put effort and execution into the protection of sensitive tools and accesses, forcing the Russians to put stunning effort into a breach.

Run a red-team security program, see how well you stack up and learn from your mistakes.

More evidence of FireEye’s dedication to security can be seen by the speed with which its moved to publish countermeasure tools. While the Solarwinds breach has had stunning immediate fallout, I’ll reserve opining about SolarWinds until we learn details of the whole event, because while a breach that traverses the supply should be exceedingly rare, they’ll never be stopped entirely.

All this is to say, this news isn’t surprising to me. Security organizations are a top adversarial target, and I would expect a nation-state like Russia to go to great lengths to impede FireEye’s ability to protect its customers. FireEye has trusted relationships with many enterprise organizations, which makes it a juicy target for espionage activities. SolarWinds, with its lengthy list of government and large enterprise customers, is a desirable target for an adversary looking to maximize its efforts.

SolarWinds' hackers gained access to multiple federal agencies.

Image Credits: David Wolpoff

Hack Solarwinds once, and Russia gains access to many of its prized customers. This isn’t the first time a nation-state adversary has gone through the supply chain. Nor is it likely to be the last.

For security leaders, this is a good opportunity to reflect on their reliance and trust in technology solutions. These breaches are reminders of unseen risk debt: Organizations have a huge amount of potential harm built up through their providers that typically isn’t adequately hedged against.

People need to ask the question, “What happens when my MSSP, security vendor or any tech vendor is compromised?” Don’t look at the Solarwinds hack in isolation. Look at every one of your vendors that can push updates into your environment.

No single tool can be relied on to never fail.

You need to expect that FireEye, SolarWinds and every other vendor in your environment will eventually get compromised. When failures occur, you need to know: “Will the remainder of my plans be sufficient, and will my organization be resilient?”

What’s your backup plan when this fails? Will you even know?

If your security program is critically dependent on FireEye (Read: It’s the primary security platform), then your security program is dependent on FireEye implementing, executing and auditing its own program, and you and your management need to be okay with that.

Often, organizations purchase a single security solution to cover multiple functions, like their VPN, firewall, monitoring solution and network segmentation device. But then you have a single point of failure. If the box stops working (or is hacked), everything fails.

From a structural standpoint, it’s hard to have something like SolarWinds be a point of compromise and not have wide-reaching effects. But if you trusted Solarwind’s Orion platform to talk to and integrate with everything in your environment, then you took the risk that a breach like this wouldn’t happen. When I think about utilizing any tool (or service) one question I always ask is, “When this thing fails, or is hacked, how will I know and what will I do?”

Sometimes the answer might be as simple as, “That’s an insurance-level event,” but more often I’m thinking about other ways to get some signal to the defenders. In this case, when Solarwinds is the vector, will something else in my stack still give me an indication that my network is spewing traffic to Russia?

Architecting a resilient security program isn’t easy; in fact, it’s a really hard problem to solve. No product or vendor is perfect, that’s been proven time and again. You need to have controls layered on top of each other. Run through “what happens” scenarios. Organizations focusing on defense in depth, and defending forward, will be in a more resilient position. How many failures does it take for a hacker to get to the goods? It should take more than one mishap for critical data to end up in Russia’s hands.

It’s critical to think in terms of probability and likelihood and put controls in place to prevent accidental changes to baseline security. Least privilege should be the default, and lots of segmenting should prevent rapid lateral motion. Monitoring and alerting should trigger responses, and if any wild deviations occur, the fail safes should activate. Run a red-team security program, see how well you stack up and learn from your mistakes.

Much was made of the security impacts of the FireEye breach. In reality, Russia already has tools commensurate to those taken from FireEye. So while pundits might like to make a big story out of the tools themselves, this is not likely to be reminiscent of other leaks, such as those of NSA tools in 2017.

The exploits released from the NSA were remarkable and immediately useful for adversaries to use, and those exploits were responsible for temporarily increased risk the industry experienced after the Shadow Brokers hack  —  it wasn’t the rootkits and malware (which were what was stolen at FireEye). In the FireEye case, since it appears there were no zero-days or exploits taken, I don’t expect that breach to cause significant shockwaves.

Breaches of this magnitude are going to happen. If they’re something your organization needs to be resilient against, then it’s best to be prepared for them.