Category: Tech news

Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability.

Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent.

XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip.

Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen.

macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses.

The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers.

It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.

Research papers come out far too frequently for anyone to read them all. That’s especially true in the field of machine learning, which now affects (and produces papers in) practically every industry and company. This column aims to collect some of the most relevant recent discoveries and papers — particularly in, but not limited to, artificial intelligence — and explain why they matter.

This edition, we have a lot of items concerned with the interface between AI or robotics and the real world. Of course most applications of this type of technology have real-world applications, but specifically this research is about the inevitable difficulties that occur due to limitations on either side of the real-virtual divide.

One issue that constantly comes up in robotics is how slow things actually go in the real world. Naturally some robots trained on certain tasks can do them with superhuman speed and agility, but for most that’s not the case. They need to check their observations against their virtual model of the world so frequently that tasks like picking up an item and putting it down can take minutes.

What’s especially frustrating about this is that the real world is the best place to train robots, since ultimately they’ll be operating in it. One approach to addressing this is by increasing the value of every hour of real-world testing you do, which is the goal of this project over at Google.

In a rather technical blog post the team describes the challenge of using and integrating data from multiple robots learning and performing multiple tasks. It’s complicated, but they talk about creating a unified process for assigning and evaluating tasks, and adjusting future assignments and evaluations based on that. More intuitively, they create a process by which success at task A improves the robots’ ability to do task B, even if they’re different.

Humans do it — knowing how to throw a ball well gives you a head start on throwing a dart, for instance. Making the most of valuable real-world training is important, and this shows there’s lots more optimization to do there.

Another approach is to improve the quality of simulations so they’re closer to what a robot will encounter when it takes its knowledge to the real world. That’s the goal of the Allen Institute for AI’s THOR training environment and its newest denizen, ManipulaTHOR.

Image Credits: Allen Institute

Simulators like THOR provide an analogue to the real world where an AI can learn basic knowledge like how to navigate a room to find a specific object — a surprisingly difficult task! Simulators balance the need for realism with the computational cost of providing it, and the result is a system where a robot agent can spend thousands of virtual “hours” trying things over and over with no need to plug them in, oil their joints and so on.

Over the last year, Instagram has added a slew of features to help independent creators make a living, like Instagram Shop and Shopping in Reels. Today, Instagram launched new Insights for Reels and Live on its Professional Dashboard, giving businesses and creators essential data about the reach of their content. These tools will help Reels catch up with its competitor TikTok, which already offers users detailed analytics. As Instagram and TikTok continue trying to keep up with one another, it can only be a good thing for influencers and small businesses that use these platforms to bolster their income. 

Previously, Instagram creators could only view publicly available metrics, like the views, likes or comments on a Reel. Now, they will be able to access data like Accounts Reached, Saves and Shares for their Reels. Instagram will also share the number of Peak Concurrent Viewers that tune in to watch their Live videos. Plus, in the Account Insights section of the app, Instagram will add breakdowns that show users what kinds of accounts they are reaching, and which content formats are generating their strongest engagement. 

For entrepreneurs and content creators whose businesses run on social commerce, these analytics might not change the game, but they certainly make it easier to play. Shopping in Reels makes in-app sales more convenient, but until now, scant data was available to help businesses tailor their Reels to reach potential customers. On the other hand, TikTok’s analytics have long provided creators with data on their videos’ average watch time, types of traffic sources and performance by geographic location. The viral video app announced earlier this month that it would work with specific brands, like the streetwear label Hype, to test in-app sales. This would deepen its competition with Instagram, but it’s still unclear when the feature will be widely available. So, Instagram’s Insights, combined with established in-app shopping, can create a perfect storm for content creators to better reach and monetize their target audiences.

“I always thought it was weird that there were no Insights for Reels. Sometimes it feels like shooting in the dark,” Quinn Jones told TechCrunch. Jones is one of the owners of KIKAY, a handmade jewelry business based in Los Angeles. With more than 90,000 followers across Instagram and TikTok, the Gen Z creators rely on social media to expand their audience and increase their sales. Though KIKAY has gone viral on TikTok, Jones said that Instagram has been the best way for the small business to gain followers.

“Insights are definitely going to be useful going forward,” said Jones. “It’s currently hard to tell the actual effective reach your videos have, and seeing Insights means more feedback to help improve content.”

For influencers, these analytics are also helpful for collaborating with brands on sponsored content. 

“I’ve been wanting Insights for Reels for the longest time. All we know now is views, likes and comments,” said Cara Cochran, an LGBTQ+ content creator and microinfluencer. She notes that brands have already been pushing creators to make videos on Reels ever since Instagram redesigned its interface to place the short videos front-and-center. 

“Now that they are rolling out analytics, I think we will see a lot of brands push for more and more Reels instead of just static posts,” she says. “I think it brings their products to life in a whole new way, and it almost works like a commercial for them instead of just a static ad.” 

Instagram will begin rolling out Insights today. The company also says that over the coming months, it will add tools to help creators measure engagement over a preset time frame and begin to support Insights on desktop. 

How’s your Monday going? If you’re Apple, the answer is probably somewhere between “very busy” to “gaaaaaaah.” The company just dropped a whole bunch of new OS updates today, including iOS, macOS, watchOS and tvOS, all ahead of the upcoming Worldwide Developers Conference, which kicks off (virtually) on June 7.

Indeed, iOS and iPadOS are the headliners here — if for no other reason than the fact that they’ll impact the most devices. The public release of iOS/iPadOS 14.6 brings a couple of biggish features, including the addition of paid podcast subscriptions and Apple Card Family, both announced at a recent hardware event.

The former allows podcasters to charge for subscriptions to their show (imagine that!), with Apple taking a 30% commission for the first year. That will halve in a year. The latter, meanwhile, makes it possible for Apple Card owners to effectively split a card, with the various responsibilities that entails.

CEO Tim Cook noted at the time of announcement:

One of the things that became apparent to us in the beginning [of launching Apple Card] was a lack of fairness in the way the industry calculated credit scores when there were two holders of a credit card. One of you got the benefit of building a good credit history, and the other did not. We want to reinvent the way this works.

MacOS 11.4 brings support for additional graphics cards, a number of bug fixes and, like the new iOS, support for paid podcast subs. Ditto that last part and Apple Card Family for the new watchOS 7.5, along with support for additional health features in Malaysia and Peru, as well as expense tracking for the Apple Card. TVOS/HomePod 14.6, meanwhile, are getting bug fixes and some color balance changes for the former.

Along with all of this, the company also announced the slate of programming for this year’s virtual WWDC. Things will kick off on June 7 at 10 a.m. PT with the keynote. That’s where the big news on the latest version of all of the above will be announced — and, hopefully, some hardware, as well. At 2 p.m. the company will be offering more information with its annual Platforms State of the Union.

The full schedule is available here.

Solidus Labs, a company that says its surveillance and risk-monitoring software can detect manipulation across cryptocurrency trading platforms, is today announcing $20 million in Series A funding. It’s pretty great timing, given the various signals coming from the U.S. government just last week that it’s intent on improving its crypto monitoring efforts — such as the U.S. Treasury’s call for stricter cryptocurrency compliance with the IRS.

Of course, Solidus didn’t spring into existence last week. Rather, Solidus was founded in 2017 by several former Goldman Sachs employees who worked on the firm’s electronic trading desk for equities. At the time, Bitcoin was only becoming buzzier, but while the engineers anticipated different use cases for the cryptocurrency, they also recognized that a lack of compliance tools would be a barrier to its adoption by bigger financial institutions, so they left to build some.

Fast forward and Solidus today employs 30 people, has raised $23.75 million, and is in the process of doubling its head count to address growing demand. On Friday, we talked with Solidus’s New York-based co-founder and CEO Asaf Meir — one of those former Goldman engineers — about the company’s new round, which was led by Equity Partners and included Hanaco Ventures, Avon Ventures, 645 Ventures, the exchange FTX,  and a few government officials, including former CFTC chair Chris Giancarlo and former SEC commissioner Troy Paredes. We also talked about the kinds of crypto crimes that are on the rise. Excerpts from that chat follow, edited lightly for length.

TC: Who are your customers?

AM: We work with exchanges, broker dealers, OTC desks, liquidity providers and regulators — anyone who is exposed to the risk of buying and selling cryptocurrencies, crypto assets or digital assets, whatever you want to call them.

TC: What are you promising to uncover for them?

AM: What we detect, largely speaking, is volume and price manipulation, and that has to do with wash trading, spoofing, layering, pump and dumps and an additional growing library of crypto-native alerts that truly only exist in our unique market.

We had a 400% increase in inbound demand over 2020 driven largely by two factors, I think. One is regulatory scrutiny. Globally, regulators have gone off to market participants, letting them know that they have to ask for permission, not forgiveness. The second reason — which I like better — is the drastic institutional increase in appetite toward exposure for this asset class. Every institution, the first question they ask any executing platform is: ‘What are your risk mitigation tools? How do you make sure there is market integrity?’

TC: We talked a couple of months ago, and you mentioned having a growing pipeline of customers, like the trading platform Bittrex in Seattle. Is demand coming primarily from the U.S.?

AM: We have demand in Asia and in Europe, as well, so we will be opening offices there, too.

TC: Is your former employer Goldman a customer?

AM: I can’t comment on that, but I would say there isn’t a bank right now that isn’t thinking about how they’re going to get exposure to crypto assets, and in order to do that in a safe, compliant and robust way, they have to employ crypto-specific solutions.

Right now, there’s the new frontier — the clients we’re currently working with, which are these crypto-pure exchanges, broker dealers, liquidity providers and even traditional financial institutions that are coming into crypto and opening a crypto operation or a crypto desk. Then there’s the new new frontier; your NFTs, stablecoins, indexes, lending platforms, decentralized protocols and God knows what [else] all of a sudden reaching out to us, telling us they want to do the right thing, to ensure the users on their platform are well-protected, and that trading activities are audited, and [to enlist us] to prevent any manipulation.

TC: How does your subscription service work and who is building the tech?

AM: We consume private data from our clients — all their training data — and we then put it in our detection models, which we ultimately surface through insights and alerts on our dashboard, which they have access to.

As for who is building it, we have a lot of fintech engineers who are coming from Goldman and Morgan Stanley and Citi and bringing that traditional knowledge of large trading systems at scale; we also have incredible data scientists out of Israel whose expertise is in anomaly detection, which they are applying to financial crime, working with us.

TC: What do these crimes look like?

AM: When we started out, there was much more wholesale manipulation happening whether through wash trading or pump and dumps — things that are more easy to perform. What we’re seeing today are extremely sophisticated manipulation schemes where bad actors are able to exploit different executing platforms. We’re quite literally surfacing new alerts that if you were to use a legacy, rule-based system you wouldn’t be able to [surface] because you’re not really sure what you’re looking for. We oftentimes have an alert that we haven’t named yet; we just know that this type of behavior is considered manipulative in nature and that our client should be looking into it.

TC: Can you elaborate a bit more about these new anomalies?

AM: I’m conflicted about how much can we share of our clients’ private data. But one thing we’re seeing is [a surge in] account extraction attacks, which is when through different ways, bad actors are able to gain access to an account’s funds and are able in a sophisticated way to trade out of the exchange or broker dealer or custodian. That’s happening in different social engineering-related ways, but we’re able, through account deviation and account profiling, to alert the exchange or broker dealer or financial institution we’re working with to avoid that.

We’re about detection and prevention, not about tracing [what went wrong and where] after the fact. And we can do that regardless of knowing even personal identifiable information about that account. It’s not about the name or the IP address; it’s all about the attributes of trading. In fact, if we have an exchange in Hong Kong that’s experiencing a pump and dump on a certain coin pair, we can preemptively warn the rest of our client base so they can take steps to prepare and protect themselves.

TC: On the prevention front, could you also stop that activity on the Hong Kong exchange? Are you empowered by your clients to step in if you detect something anomalous?

AM: We’re bomb-sniffing dogs, so we’re not coming to disable the bot. We know how to take the data and point out manipulation, but it’s then up to the financial institution to handle the case.

Pictured above: Seated left to right is CTO Praveen Kumar and CEO Asaf Meir. Standing is COO Chen Arad.

Venture capitalists add value in a number of ways. For example, one of my business’ backers has a deep tech “pod” that generates events and content we are always welcomed to be a part of. Another one of our investors gives us full commercial support through its network of mentors that are there to support the business, not the VC.

I might not expect that from every VC, but if they promise those “assets” by saying that they are here to drive innovation and growth, then I expect them to deliver, just as I have to back up the claim of having a team of supersmart machine learning researchers.

They might know the forks in the road, directions to take, and who to speak to based on having been through the process with similar companies. They might have venture partners that can mentor you and a network of investors that can participate in follow-on rounds. That is where they add value.

The best ones will seek to connect with you personally. They’ll have prepared thoroughly beforehand and are brimming with questions. While they may have preconceived and potentially ill-informed ideas, they demonstrate enthusiasm by starting sentences with “what if,” and they leave me emboldened but contemplative. I fully expect to be provoked in the right way.

However, some also play God. One experience offered up a major warning sign, one that would make me walk on by.

I’m pleased to say my business has some outstanding investors who totally get it. Our investors’ head of investment told representatives at one of New York’s top funds that one of their leading deep tech portfolio companies was coming to town for a “blitz meeting session.” They announced that they were committing to the round I was raising and that we were looking for a new lead investor.

So, put it this way: I wasn’t a guy who walked off the street with a crazy idea, but you might have thought otherwise, given the experience that followed. To be clear, I don’t expect all VCs to open their arms and embrace everyone, but there are rules of engagement.

The transparency and value of DocSend

After a very positive morning meeting, I’d scheduled a couple of hours for a quick chance to grab a breather at my hotel. Flicking through my phone, an email from the associate at the VC I was due to meet next pinged into my inbox.

“Hey Ofri, it’s Jessica [not her real name], really sorry, I’m not feeling great so am thinking I might cut the day short. I know you’re only in New York the next two days, so let’s catch up later on a call and next time you’re over I’m sure we can revisit.”

I started composing a polite response: “Really sorry to hear that. Absolutely fine to reschedule. Let me know your availability, etc., etc.” In truth, I was irritated — this had been in the diary for two months and was one of six meetings scheduled. I was not sorry; I was annoyed.

Uber and Lyft have officially started to offer free rides to anyone traveling to get a COVID-19 vaccine, two weeks after the ride-hailing companies announced an agreement with the White House to offer the program.

The free rides will last through July 4, the date when President Joe Biden wants 70% of U.S. adults to be vaccinated. Lyft and Uber have previously told TechCrunch the companies will cover the costs of the rides. The White House advised on the development and launch of the product. The White House also shared data on the more than 80,000 vaccination sites in the country, an Uber spokesperson told TechCrunch.

Uber is giving riders four one-way rides up to $25 off each. Each of these two round trips must be three weeks apart between Monday and July 4, Uber said in a blog post. Riders can access the program by opening the Uber app and tapping “vaccine” and then “get your free ride.” The free rides are offered between 6 a.m. and 8 p.m. Riders must enter the ZIP code of their appointment to find the location they are going to or coming from. The rider then selects the provider location and the ride option.

Image Credits: Lyft

Lyft is offering two roundtrip rides up to $15 each trip. Lyft said if either ride costs more than $15 or if the rider tips their driver, those additional charges will hit their personal form of payment. Lyft is also requiring these free rides be three weeks apart.

The vaccine access program follows efforts by both companies to provide free and discounted rides to underserved communities as well as roll out features to make it easier to access vaccine information and point-of-distribution sites. Uber first rolled out a COVID-relief program in March to offer free rides and deliveries. In December, the company said it would give an additional 10 million free or discounted rides.

Uber announced in April that it was launching more than a half-dozen new features, including one that will let users book vaccine appointments at Walgreens and reserve a ride to get their jab.

Lyft kicked off in December a universal vaccine access campaign, a coalition of partners that includes JPMorgan Chase, Anthem and United Way, to provide 60 million rides to and from vaccination sites for low-income, uninsured and at-risk communities.

Listen up mobility mavericks. TC Sessions: Mobility 2021 is right around the corner of your calendar (June 9). If you want to place your ground-breaking, edge-cutting, envelope-pushing (no extra charge for clichés) early-stage startup in front of the world’s leading mobility movers, shakers and makers you gotta hustle. You have just one week left to buy one of our remaining three Startup Exhibitor Packages.

Here’s what the $380 package includes, plus a few suggestions on ways to take full advantage of the virtual platform’s capabilities and boost the opportunity factor. Note: Exhibitors must be pre-Series A, early-stage startups in the mobility field.

• Virtual booth space
• Lead generation
• 4 conference passes
• Full event access
• Videos on-demand
• Breakout sessions
• Networking with CrunchMatch

Hopin, our virtual platform, lets you tap into your creativity. Include a product walk-through video — complete with links to your website and social media accounts — at your virtual booth. But get this. Your booth also includes live stream capability. Make the most of that opportunity. Share your screen, host a live demo or a product tutorial and moderate the chat area.

Maybe you’d like to host and live stream your own Q&A session. Go for it. Or why not establish yourself as a subject matter expert? Choose your topic and combine your virtual booth and CrunchMatch, our AI-powered networking platform, to send invitations to the people you want to impress and get the conversation started. And of course, you can always schedule 1:1 video calls.

Since you’ll have four event passes, you and your team can tend to booth business and take in a range of presentations. Here are just two examples of what’s in store. Check out the event agenda and plan your schedule now.

Supercharging Self-Driving Super Vision: Few startups were as prescient as Scale AI when it came to anticipating the need for massive sets of tagged data for use in AI. Co-founder and CEO Alex Wang also made a great bet on addressing the needs of lidar sensing companies early on, which has made the company instrumental in deploying AV networks. We’ll hear about what it takes to make sense of sensor data in driverless cars and look at where the industry is headed.

AVs: Past, Present and Future: TechCrunch Mobility will talk to two pioneers, and competitors, who are leading the charge to commercialize autonomous vehicles. Karl Iagnemma, president of the $4 billion Hyundai-Aptiv joint venture known as Motional, and Chris Urmson, the co-founder and CEO of Aurora, will discuss — and maybe even debate — the best approach to AV development and deployment, swap stories of the earliest days of the industry and provide a few forecasts of what’s to come.

TC Sessions: Mobility 2021 takes place on June 9, but you have just one week left to reserve your virtual demo booth. Grab this opportunity and get your startup in front of the industry’s top movers and makers.

Is your company interested in sponsoring or exhibiting at TC Sessions: Mobility 2021? Contact our sponsorship sales team by filling out this form.

Future Family, a company we’ve written about a few times over the years, makes fertility treatments more accessible. They pre-negotiate terms with fertility clinics to ensure there are no surprise fees, convert the often substantial upfront costs into a monthly payment plan and give each user a dedicated Fertility Coach to help them navigate their journey.

This morning the company is announcing that it has raised a $9 million round of funding as it expands the network of clinics it works with.

The company last raised $10 million in a Series A back in 2018, and they’re positioning this round as an extension of that — a “Series A-1”, as they’re calling it — rather than a whole new round.

As I’ve written before, Future Family was inspired by founder Claire Tomkins’ own experiences:

Future Family was born out of Claire Tomkins’ own experiences with the complexities and costs of fertility treatments. After spending hundreds of thousands of dollars on treatments involved with having her first child (with much of the cost coming as a surprise only revealed once the process had begun), Claire set out to build a better way. Future Family partners with clinics to work out all the pricing ahead of time and pays the bill upfront, ensuring there are no billing surprises down the road.

Image Credits: Claire Tomkins, Future FamilyClaire tells me that, as it did for just about everyone, 2020 brought a whole new set of challenges for the company. In the early days of the pandemic, as a million questions about COVID-19 emerged, many fertility clinics closed their doors. And even as the clinics began reopening, with little certainty about where things might be in nine months, many patients understandably held off.

“It was definitely a tough year,” she says, “but I think we’re emerging in a good place.”

2021 is already looking like a different story, Claire tells me. “People had to sit on the sidelines,” she says. “People who have wanted to go forward with treatment, and now have waited 12 or more months… it’s gotten very busy.” According to their numbers, Claire expects the second half of 2021 to hit “record levels of activity.”

To help with the sudden spike in demand, the company is adding more fertility clinics to its network, including CCRM — a fertility group with locations in Minneapolis, Houston, Denver, San Francisco and a number of other major metros.

A Norwegian conciliation council has ordered Tesla to pay thousands of dollars each to Model S owners after it found that a software update led to longer charging times, the Norwegian newspaper Nettavisen reported Monday. Drivers eligible for compensation under the ruling will receive 136,000 kroner ($16,000) each.

Thirty Tesla drivers brought a complaint to the conciliation council in December 2020, citing that charging times slowed down after a software update the previous year. The poorer performance affected Tesla Model S vehicles manufactured between 2013 and 2015.

Tesla sold about 10,000 Model S vehicles during that time frame in Norway. That means Tesla faces an overall payout of up to 1.36 kroner ($163 million), Nettavisen said.

Tesla did not respond to the complaint prior to the judgement being issued and it has until May 30 to pay the fine. The company has the opportunity to appeal the ruling to the Oslo Conciliation Board by June 17.

This is not the first time Tesla has faced complaints on charging speeds in court. A Tesla owner in 2019 filed a lawsuit against the EV manufacturer in the Northern California federal court alleging fraud and decreased battery range following a software update.

Norway leads Europe in the number of EVs on the road, with battery electric vehicles accounting for 54% of all new vehicle sales in 2020, according to the Norwegian Road Federation. Audi e-trons were the most popular vehicle sold, followed by the Model 3.

The App Store’s draconian demands prevent app creators from making changes that would help consumers, or from making helpful apps in the first place.

Coral in the Red Sea is unusually heat tolerant. The secret to its success may lie in the lucky confluence of geography and genetics.

These are our favorite portable speakers of all shapes and sizes, from clip-ons to a massive boom box.

When I met Grace Nakimura in the Gabriel Knight trilogy, I found not just someone like me but someone who inspired me.

Some studies are too small. Some are too pharma. But a bigger, bolder approach could (finally!) figure out which drugs work against the virus—and which don’t.