PayPal Unveils New In-Store Payment Product

PayPal has unveiled a mobile payment product for customers that doesn’t require near-field communication (NFC) technology inside smartphones.

The system relies instead on using smartphones and other mobile devices to scan product bar codes and to authorize payments through PayPal mobile accounts. Shoppers will also be able to use credit-card scanning terminals commonly seen in grocery stores: The user inputs a phone number and PIN on the terminal’s keypad instead of swiping a credit or debit card.

PayPal President Scott Thompson laid out the basics of the plan in a blog posted Wednesday. In the blog, he also took a swipe at competitors, including Google, MasterCard, Visa and others, who are working with NFC in smartphones for a mobile wallet.

“Let’s be clear about something — we’re not just shoving a credit card on a phone,” Thompson said in his blog.

PayPal is already a major global force in online payments, with 100 million customers. While PayPal’s new payment technologies don’t rely on NFC, they do propose making in-store payments possible from any device and support GPS-based offers, according to Thompson’s blog. PayPal will even allow for customers to set up payments on credit after they’ve checked out.

Dozens of merchants got a sneak peak of the technology Wednesday at an event PayPal sponsored. The event was covered by All Things D, which was not allowed to take photographs, but posted a story. In addition to the payment methods shown in the PayPal video, that story said PayPal will allow customers to continue using plastic cards, issued by PayPal, for payment.

In an interview posted on AllThingsD, Thompson said the PayPal approach doesn’t require merchants to install new terminals, nor does it require customers to buy a new smartphone.

While Thompson didn’t rule out NFC, he did say, “We are not embracing technology,” adding that working with NFC on a specific phone with a certain network and banks might only service “50 people out of 350 million people in the U.S.”

PayPal said in February it would start pilot programs of mobile payments within a year, but hasn’t given more details on timing. It faces a number of competitors.

Google Removes Malicious Code

Unfortunately, 260,000 smartphones users had already downloaded the application to their Android phones.Unfortunately with an OS version earlier than version 2.2.2 were vulnerable to the malicious applications.   There were Fifty-eight malicious applications that were discovered and removed.  smartphonePeople who are using an Android 

TWe heard that he developer accounts responsible for the malicious application were suspended.

The pirated versions of legitimate applications on the Android Market were infected by a Trojan called DroidDream, which uses a root exploit dubbed “rageagainstthecage”.

The malware captured user’s private and product information from the smartphone and had the ability to download more mailicious code.

Google Pulls Apps From Android Market

Google has steps to rid the Android Market place of several applications that were found to be ridden with malware.

Apparently the openness of the Android platform appears to be the culprit, since the applications were not screened and not following Googles protocol policies. We hear that the applications were developed by several individuals and unfortunately contained the  DroidDream malware, which supposedly steals personal data.

 On a good note, Google is investigating the matter and will hoepfully take more action.  I wonder if the people at Apple and Microsoft are laughing at the openness of Android?  We know that unfortunately, this is only the beginning.

Link to Malware Apps.

Soundminer Malware Steals Android Phones User Data

Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that lifts data in a way that will more than likely go undetected by either a user or antivirus software.

The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.

Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said.

The study was done by Roman Schlegel of City University of Hong Kong and Kehuan Zhang, Xiaoyong Zhou, Mehool Intwala, Apu Kapadia, XiaoFeng Wang of Indiana University in Bloomington, Indiana.

“We implemented Soundminer on an Android phone and evaluated our technique using realistic phone conversation data,” they wrote. “Our study shows that an individual’s credit card number can be reliably identified and stealthily disclosed. Therefore, the threat of such an attack is real.”

Soundminer is deliberately developed to ask for as few permissions as possible to avoid suspicion. For example, Soundminer may be allowed access to the phone’s microphone, but further access to transmit data, intercept outgoing phone calls and access contact lists might look suspicious.

So in another version of the attack, the researchers paired Soundminer with a separate Trojan, called Deliverer, which is responsible for sending the information collected by Soundminer.

Since Android could prevent that communication between applications, the researchers investigated a stealthy way for Soundminer to communicate with Deliverer. They found what they term are several “covert channels,” where changes in a feature are communicated with other interested applications, such as vibration settings.

Soundminer could code its sensitive data in a form that looks like a vibration setting but is actually the sensitive data, where Deliverer could decode it and then further transmit the info out to a remote server. That covert vibration settings channel only has 87 bits of bandwidth, but that is enough to send a credit card number, which is just 54 bits, they wrote.

Soundminer was coded to do the voice and number recognition on the phone itself, which averts the need to send large chunks of data through the network for analysis, which might again trigger an alert from security software.

If it is installed on a device, users are likely to approve of the settings that Soundminer is allowed to use, such as the phone’s microphone. Since Soundminer doesn’t directly need network access due to its use of a covert side channel to send its information, it is unlikely to raise suspicion.

Two antivirus programs for Android, VirusGuard from SMobile Systems and Droid Security’s AntiVirus, both failed to identify Soundminer as malware even when it was recording and uploading data, according to the researchers.

In an e-mail statement, Google representatives did not directly address Soundminer but stated that Android is designed to minimize the impact of “poorly programmed or malicious applications if they appear on a device.”