Samsung has officially launched the Galaxy XR, the first Android headset powered by Google's new Android XR platform. Priced at $1,800 without controllers, the device features dual 4.3K Micro-OLED displays, a Snapdragon XR2+ Gen 2 chip, extensive camera tracking, and deep Gemini AI integration. Ars Technica reports: Galaxy XR is a fully enclosed headset with passthrough video. It looks similar to the Apple Vision Pro, right down to the battery pack at the end of a cable. It packs solid hardware, including 16GB of RAM, 256GB of storage, and a Snapdragon XR2+ Gen 2 processor. That's a slightly newer version of the chip powering Meta's Quest 3 headset, featuring six CPU cores and an Adreno GPU that supports up to dual 4.3K displays. The new headset has a pair of 3,552 x 3,840 Micro-OLED displays with a 109-degree field of view. That's marginally more pixels than the Vision Pro and almost three times as many as the Quest 3. The displays can refresh at up to 90Hz, but the default is 72Hz to save power. Like other XR (extended reality) devices, the Galaxy XR is covered with cameras. There are two 6.5 MP stereoscopic cameras that stream your surroundings to the high-quality screens, allowing the software to add virtual elements on top. There are six more outward-facing cameras for headset positioning and hand tracking. Four more cameras are on the inside for eye-tracking, and they can scan your iris for secure unlocking and password fill (in select apps). Samsung says the Galaxy XR has enough juice for two hours of general use or two and a half hours of video. That's not terribly long, but you may not want to wear the 545 grams (1.2 pounds) headset for even two hours. That's even a little heavier than the Quest 3, which has an integrated battery. However, both pale in comparison to the 800 g (1.7 pounds) second-generation Vision Pro.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Register: Security researchers have resurrected a 12-year-old data-stealing attack on web browsers to pilfer sensitive info from Android devices. The attack, dubbed Pixnapping, has yet to be mitigated. Conceptually, it's the equivalent of a malicious Android app being able to screenshot other apps or websites. It allows a malicious Android application to access and leak information displayed in other Android apps or on websites. It can, for example, steal data displayed in apps like Google Maps, Signal, and Venmo, as well as from websites like Gmail (mail.google.com). It can even steal 2FA codes from Google Authenticator. "First, the malicious app opens the target app (e.g., Google Authenticator), submitting its pixels for rendering," explained [Alan Wang, a PhD candidate at UC Berkeley]. "Second, the malicious app picks the coordinates of a target pixel whose color it wants to steal. Suppose for example it wants to steal a pixel that is part of the screen region where a 2FA character is known to be rendered by Google Authenticator, and that this pixel is either white (if nothing was rendered there) or non-white (if part of a 2FA digit was rendered there). Third, the malicious app causes some graphical operations whose rendering time is long if the target pixel is non-white and short if it is white. The malicious app does this by opening some malicious activities (i.e., windows) in front of the target app. Finally, the malicious app measures the rendering time per frame of the above graphical operations to determine whether the target pixel was white or non-white. These last few steps are repeated for as many pixels as needed to run OCR over the recovered pixels and guess the original content." The researchers have demonstrated Pixnapping on five devices running Android versions 13 to 16 (up until build id BP3A.250905.014): Google Pixel 6, Google Pixel 7, Google Pixel 8, Google Pixel 9, and Samsung Galaxy S25. Android 16 is the latest operating system version. Other Android devices have not been tested, but the mechanism that allows the attack to work is typically available. A malicious Android app implementing Pixnapping would not require any special permissions in its manifest file, the authors say. The researchers detail the attack in a paper (PDF) titled "Pixnapping: Bringing Pixel Stealing out of the Stone Age."

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: As we careen toward a future in which Google has final say over what apps you can run, the company has sought to assuage the community's fears with a blog post and a casual "backstage" video. Google has said again and again since announcing the change that sideloading isn't going anywhere, but it's definitely not going to be as easy. The new information confirms app installs will be more reliant on the cloud, and devs can expect new fees, but there will be an escape hatch for hobbyists. Confirming app verification status will be the job of a new system component called the Android Developer Verifier, which will be rolled out to devices in the next major release of Android 16. Google explains that phones must ensure each app has a package name and signing keys that have been registered with Google at the time of installation. This process may break the popular FOSS storefront F-Droid. It would be impossible for your phone to carry a database of all verified apps, so this process may require Internet access. Google plans to have a local cache of the most common sideloaded apps on devices, but for anything else, an Internet connection is required. Google suggests alternative app stores will be able to use a pre-auth token to bypass network calls, but it's still deciding how that will work. The financial arrangement has been murky since the initial announcement, but it's getting clearer. Even though Google's largely automated verification process has been described as simple, it's still going to cost developers money. The verification process will mirror the current Google Play registration fee of $25, which Google claims will go to cover administrative costs. So anyone wishing to distribute an app on Android outside of Google's ecosystem has to pay Google to do so. What if you don't need to distribute apps widely? This is the one piece of good news as developer verification takes shape. Google will let hobbyists and students sign up with only an email for a lesser tier of verification. This won't cost anything, but there will be an unclear limit on how many times these apps can be installed. The team in the video strongly encourages everyone to go through the full verification process (and pay Google for the privilege). We've asked Google for more specifics here.

Read more of this story at Slashdot.

F-Droid has warned that Google's upcoming developer verification program will kill the free and open source app repository. Google announced plans several weeks ago to force all Android app developers to register their apps and identity with the company. Apps not validated by Google will not be installable on certified Android devices. F-Droid says it cannot require developers to register with Google or take over app identifiers to register for them. The site operators say doing so would effectively take over distribution rights from app authors. Google plans to begin testing the verification scheme in the coming weeks and may charge registration fees. Unverified apps will start being blocked next year in Brazil, Indonesia, Singapore, and Thailand before expanding globally in 2027. F-Droid is calling on US and EU regulators to intervene.

Read more of this story at Slashdot.

Qualcomm CEO Cristiano Amon told attendees at yesterday's Snapdragon Summit opening keynote that he has seen Google's merged Android-ChromeOS platform for PCs. Speaking alongside Google's head of platforms and devices Rick Osterloh, Amon said the software "delivers on the vision of convergence of mobile and PC" and that he "can't wait to have one." Osterloh confirmed Google is building a common technical foundation for PCs and desktop computing systems that combines Android and ChromeOS. The platform will include Gemini, the full Android AI stack, all Google applications and the Android developer community. "I've seen it, it is incredible," replied Amon excitedly. "It delivers on the vision of convergence of mobile and PC. I can't wait to have one."

Read more of this story at Slashdot.

Researchers from Nanjing University and the University of Sydney developed an AI-powered bug-hunting agent that mimics human vulnerability discovery, validating flaws with proof-of-concept exploits. The Register reports: Ziyue Wang (Nanjing) and Liyi Zhou (Sydney) have expanded upon prior work dubbed A1, an AI agent that can develop exploits for cryptocurrency smart contracts, with A2, an AI agent capable of vulnerability discovery and validation in Android apps. They describe A2 in a preprint paper titled "Agentic Discovery and Validation of Android App Vulnerabilities." The authors claim that the A2 system achieves 78.3 percent coverage on the Ghera benchmark, surpassing static analyzers like APKHunt (30.0 percent). And they say that, when they used A2 on 169 production APKs, they found "104 true-positive zero-day vulnerabilities," 57 of which were self-validated via automatically generated proof-of-concept (PoC) exploits. One of these included a medium-severity flaw in an Android app with over 10 million installs.

Read more of this story at Slashdot.

Google's September Pixel drop brings the new Material 3 Expressive UI, AI-powered Gboard writing tools, and Bluetooth Auracast upgrades to older Pixel devices, including the Pixel 6 and Pixel Tablet. "Among other tweaks, Google made it possible to add 'Live Effects,' including a few that cover the weather, to your phone's lock screen wallpaper," notes Engadget. "Material 3 Expressive also gives you more control over how the contact cards your phone displays when your friends and family call you look. Even if you're not one to endlessly tweak Android's appearance, as part of the redesign Google has once again reworked the Quick Settings pane in hopes of making it easier to use." On the audio front, Pixel Buds Pro 2 gain intuitive nod-and-shake gesture controls, Adaptive Audio for balanced awareness, and Loud Noise Protection to guard against sudden sound spikes. Voice clarity has also been improved with Gemini Live in noisy environments. A full breakdown of what's new can be found here.

Read more of this story at Slashdot.

Developer Hugo Tunius, writing in a blog post: Sideloading has been a hot topic for the last decade. Most recently, Google has announced further restrictions on the practice in Android. Many hundreds of comment threads have discussed these changes over the years. One point in particular is always made: "I should be able to run whatever code I want on hardware I own." I agree entirely with this point, but within the context of this discussion it's moot. When Google restricts your ability to install certain applications they aren't constraining what you can do with the hardware you own, they are constraining what you can do using the software they provide with said hardware. It's through this control of the operating system that Google is exerting control, not at the hardware layer. You often don't have full access to the hardware either and building new operating systems to run on mobile hardware is impossible, or at least much harder than it should be. This is a separate, and I think more fruitful, point to make. Apple is a better case study than Google here. Apple's success with iOS partially derives from the tight integration of hardware and software. An iPhone without iOS is a very different product to what we understand an iPhone to be. Forcing Apple to change core tenets of iOS by legislative means would undermine what made the iPhone successful.

Read more of this story at Slashdot.

Google will require identity verification for all Android app developers, including those distributing apps outside the Play Store, starting September 2026 in Brazil, Indonesia, Singapore, and Thailand before expanding globally through 2027. Developers must register through a new Android Developer Console beginning March 2026. The requirement applies to certified Android devices running Google Mobile Services. Google cited malware prevention as the primary motivation, noting sideloaded apps contain 50 times more malware than Play Store apps. Hobbyist and student developers will receive separate account types. Developer information submitted to Google will not be displayed to users.

Read more of this story at Slashdot.

"Google has confirmed that its Battery Health Assistance feature can't be turned off on the Pixel 10 phones," reports Android Authority: Google introduced a Battery Health Assistance feature on the Pixel 9a earlier this year. This feature gradually drops your phone's charging speed and battery voltage in the name of battery health. This tool is mandatory on the Pixel 9a but optional on other Pixel phones. However, there's bad news for the Pixel 10 series. Google confirmed to Android Authority that Battery Health Assistance is mandatory on the Pixel 10 series and can't be disabled. That means your phone's charging speed and effective battery life will drop over time... All smartphone batteries degrade over time, resulting in shorter and shorter endurance. Google says the Pixel 8a and newer Pixel phones can withstand 1,000 charging cycles before their batteries drop down to 80% effective capacity. However, this Battery Health Assistance feature essentially reduces the phone's battery capacity over and above standard degradation. This is particularly disappointing as users aren't given a choice in the matter. It's also disappointing as some rival smartphone makers address battery health concerns by offering more durable batteries. For example, Samsung's top phones can withstand 2,000 charging cycles before dropping down to 80% effective capacity, while OnePlus and OPPO's lithium-ion batteries offer 1,600 cycles before reaching 80% capacity. So there likely wouldn't be a need for a Battery Health Assistance tool if Google's batteries had similar longevity. "The issue also comes after several older Pixel A series models suffered from major battery issues in 2025..."

Read more of this story at Slashdot.

Google's Android 16 QPR2 beta 1 is rolling out with new customization features, including the ability to force dark mode and icon themes on apps that don't support them. The update also adds enhanced parental controls, better data migration, PDF editing, and Bluetooth audio sharing, with a full release expected in December. The Verge reports: The beta includes a new dark theme option that will "intelligently invert the UI of apps that appear light despite users having selected the dark theme" when enabled, according to Google's announcement, forcibly making apps that don't natively support the feature to appear darker. Google says this is "largely intended as an accessibility feature" for users with low vision or photosensitivity, and will also automatically darken app splash screens and adjust status bar colors to match the darker theming. Another feature will allow users to forcibly apply themed icon colors to apps that don't natively support them. Android's icon theming currently only works if app developers have provided a monochrome version of their app icon that can be adjusted, which is annoying for users who want to apply a consistent aesthetic across their entire home page. Auto-themed app icons spare developers from adding this capability manually, removing the hassle for users to customize their phone's theme. The full list of features in the QPR2 beta 1 update can be found on the Android developers' blog.

Read more of this story at Slashdot.

Amazon is plotting a big change to its Fire tablet lineup following years of escalating gripes from consumers and app developers over the company's homegrown operating system. Reuters: As part of a project known internally as Kittyhawk, Amazon plans to release a higher-end tablet as soon as next year offering the Android operating system software for the first time, according to six people familiar with the matter. Since the Fire tablet's introduction in 2011, Amazon has used what is known as a "forked" version of Android with custom modifications that make it work like a unique operating system. [...] The first Amazon Android tablet, slated for next year, will be pricier than current models, the people said. One of them said Amazon had discussed a $400 price tag, nearly double the cost of its current higher-end $230 Fire Max 11 tablet. IPads, by comparison, range from $350 to $1,200. Reuters could not learn additional specifications for the planned Amazon tablet, such as screen size and speaker quality or memory capacity. Amazon historically has avoided using software or other products from third parties, preferring to develop the services in-house or, barring that, to acquire a competitor.

Read more of this story at Slashdot.

Google announced its Pixel 10 smartphone lineup today, introducing the Tensor G5 processor and Qi2 magnetic wireless charging across four models priced from $799 to $1,799. The base Pixel 10 adds a 5x telephoto lens for the first time at $799. The Pixel 10 Pro maintains its $999 starting price in a 6.3-inch size while the Pro XL starts at $1,199 for the 6.8-inch variant. The $1,799 Pixel 10 Pro Fold becomes the first foldable phone to achieve IP68 water and dust resistance through a redesigned gearless hinge. All models feature 3,000-nit peak brightness displays, Android 16, and Google's Material 3 Expressive interface redesign. The Tensor G5 enables on-device AI features including Magic Cue for contextual information retrieval and Camera Coach for photography guidance. Pro models gain 100x hybrid zoom capabilities through computational photography. Preorders begin today for August 28 availability, except the Pro Fold which ships October 9.

Read more of this story at Slashdot.

Protected KVM (pKVM), the hypervisor powering the Android Virtualization Framework, has officially achieved SESIP Level 5 certification (in testing by cybersecurity lab Dekra against the TrustCB SESIP scheme). Google's security blog called the certification "a watershed moment," and a "new benchmark" for both open-source security — and for the future of consumer electronics. "It provides a single, open-source, and exceptionally high-quality firmware base that all device manufacturers can build upon." This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar. The implications for the future of secure mobile technology are profound. With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads. This includes vital features, such as on-device AI workloads that can operate on ultra-personalized data, with the highest assurances of privacy and integrity... Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the highest level of vulnerability analysis and penetration testing under the ISO 15408 (Common Criteria) standard. A system certified to this level has been evaluated to be resistant to highly skilled, knowledgeable, well-motivated, and well-funded attackers who may have insider knowledge and access. This certification is the cornerstone of the next-generation of Android's multi-layered security strategy. Many of the TEEs (Trusted Execution Environments) used in the industry have not been formally certified or have only achieved lower levels of security assurance... Looking ahead, Android device manufacturers will be required to use isolation technology that meets this same level of security for various security operations that the device relies on. Protected KVM ensures that every user can benefit from a consistent, transparent, and verifiably secure foundation. "This achievement represents just one important aspect of the immense, multi-year dedication from the Linux and KVM developer communities and multiple engineering teams at Google developing pKVM and AVF," the post concludes. "We look forward to seeing the open-source community and Android ecosystem continue to build on this foundation, delivering a new era of high-assurance mobile technology for users."

Read more of this story at Slashdot.

Smartphone maker Nothing's $799 Phone 3 has been "mired in controversy among the same customers who rallied behind the company's past products" since its July launch, Bloomberg reported on Wednesday. Tech enthusiasts have "lambasted the company for the phone's peculiar industrial design and what they perceive to be an unreasonable price." The Android device lacks the most performant Qualcomm processor chip found in premium Android phones and the camera performance "falls short of other handsets in this price bracket," the publication wrote in a scathing review. The phone costs $200 more than its predecessor and matches pricing with Apple's iPhone 16, Samsung's Galaxy S25, and Google's Pixel 9. Critics across Reddit and social media have attacked Nothing for removing the signature Glyph Lights from previous models. Comments on Nothing's YouTube channel have been "bruising," focusing on the phone's oddly positioned camera array. "At its current price, the handset is too expensive for what it offers," the review concludes.

Read more of this story at Slashdot.

Samsung's new One UI 8 update has quietly disabled the ability to unlock the bootloader on all Galaxy devices globally, ending the custom ROM and kernel era for Android enthusiasts. While most users won't notice, the developer community sees this as a major blow to modding freedom -- one that could potentially raise regulatory concerns within the EU. SamMobile reports: A new report highlights evidence found in the Galaxy S25 One UI 8 beta builds that the bootloader unlock option has been removed. A similar change has also been confirmed on the Galaxy Z Fold 7 and Z Flip 7 which are running stable versions of One UI 8. A deep dive into the stable version's code has also confirmed that regardless of the region, the bootloader unlock option will not be available on devices running One UI 8. The enthusiast community won't like it. They won't be able to use custom ROMs to update devices when the official software support runs out or use custom kernels to extract more performance. However, with most Samsung phones now offering seven years of Android OS upgrades, one can argue that the utility of this capability is not as significant as it once was.

Read more of this story at Slashdot.

Electronic messages travel faster than seismic waves, Gizmodo points out — meaning some people near an earthquake receive an Android Earthquake Alert "before the seismic waves reach them — and even a few seconds could be just enough time to hide under a table or run outside." Richard Allen from the University of California in Berkeley's Seismological Laboratory, writes in a new study that "The global adoption of smartphone technology places sophisticated sensing and alerting capabilities in people's hands, in both the wealthy and less-wealthy portions of the planet." From Gizmodo: According to the study, 70% of the world's smartphones are Android phones, which by default come with the aforementioned sensing and alerting capabilities. From 2021 to 2024, the Android Earthquake Alert (AEA) system detected an average of 312 earthquakes per month across 98 countries. The earthquakes had a magnitude between 1.9 and 7.8, and the system alerted users of earthquakes at or over a magnitude of 4.5, averaging around 60 events and 18 million alerts per month. The AEA system also collected user feedback, revealing that 85% of users who received alerts experienced shaking, with 36% receiving the alert before, 28% during, and 23% after the shaking began... "AEA demonstrates that globally distributed smartphones can be used to detect earthquakes and issue warnings at scale with an effectiveness comparable to established national systems," the researchers wrote. The system detected 11,231 earthquakes between April of 2021 and March of 2024, according to the study, which notes that the length of the advanced warning "ranged from seconds up to a minute" for moderate shaking, and about 15 seconds for the strongest shaking.

Read more of this story at Slashdot.

BrianFagioli shares a report from NERDS.xyz: Android is changing how it gives developers access to early features. The company is replacing its old Developer Preview model with a new Canary channel that provides rolling updates all year long. This new approach is meant to give developers earlier and more consistent access to experimental tools and APIs. Previously, Developer Previews had to be manually flashed onto devices. They only ran during the earliest stages of each release cycle and stopped once Android entered the beta phase. That meant promising features that were not quite ready for beta had nowhere to go and no way to collect feedback. The Canary channel solves that by running in parallel with the existing beta program and delivering over the air updates automatically.

Read more of this story at Slashdot.

Google is implementing a change that will enable its Gemini AI engine to interact with third-party apps, such as WhatsApp, even when users previously configured their devices to block such interactions. ArsTechnica: Users who don't want their previous settings to be overridden may have to take action. An email Google sent recently informing users of the change linked to a notification page that said that "human reviewers (including service providers) read, annotate, and process" the data Gemini accesses. The email provides no useful guidance for preventing the changes from taking effect. The email said users can block the apps that Gemini interacts with, but even in those cases, data is stored for 72 hours. The email never explains how users can fully extricate Gemini from their Android devices and seems to contradict itself on how or whether this is even possible.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices. Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned. The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords. The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful. While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.

Read more of this story at Slashdot.