The clocks have fallen back an hour for many of us, and if it all feels a bit disorienting, you’re not alone. Thankfully, Amazon’s versatile Echo Spot is on sale to help you adjust. Normally $79.99, right now you can buy the smart alarm clock at Amazon in black, blue, or white with a free Globe Electric smart bulb for $49.99, which equates to $41.99 in savings. That’s just $5 shy of the all-time low we saw during Amazon’s recent Prime Day event.

Amazon’s speedy smart speaker can be set up so that it gently wakes you up with music instead of typical alarm clock sounds, which can be jarring. The Spot is also a lot more useful than your run-of-the-mill clock, as it offers a customizable 2.83-inch screen that displays helpful info (including the weather and music playback). However, unlike Amazon’s larger smart displays, the latest Spot doesn’t push on-screen ads and lacks a camera, so there’s less of a privacy concern.

What makes the Spot particularly useful, though, is that it functions as an inexpensive Alexa speaker. That means you can use it to perform all kinds of tasks, from setting reminders to playing podcasts, audiobooks, and music. You can also use it to control other smart home devices with just your voice, including lights and smart thermostats. That’ll come in handy as the days get colder and darker — after all, no one wants to leave the warmth of their bed just to hit the lights.

Do you remember those TV shows where the villain gets defeated in one season but comes back even stronger in the next? Think “Stranger Things” on Netflix. The malware we’re talking about here is just like that. It’s called FakeCalls, and every time researchers figure out how it infects devices, it evolves with new ways to hide. 

Earlier this year, it was reported to be impersonating large financial institutions, and now security researchers have discovered that the malware has gone through another upgrade. It can even hijack the calls you make to your bank using your Android phone.

ENTER CYBERGUY’S $500 HOLIDAY GIFT CARD SWEEPSTAKES

What you need to know

FakeCalls is a banking trojan that focuses on voice phishing, where victims are deceived through fraudulent calls impersonating banks and are asked to share sensitive information. Earlier versions did this by prompting users to call the bank from within an app that impersonated the financial institution, as reported by Bleeping Computer. However, the latest version, analyzed by Zimperium, sets itself as the default call handler.

The default call handler app manages incoming and outgoing calls, allowing users to answer, reject or initiate calls. Giving these permissions to a malicious app, as you can imagine, carries serious risks.

When a user gives the app permission to set itself as the default call handler, the malware gets the green light to intercept and mess with both outgoing and incoming calls. It even shows a fake call interface that looks just like the real Android dialer, complete with trusted contact info and names. This level of deception makes it really tough for victims to see what’s happening.

“When the compromised individual attempts to contact their financial institution, the malware redirects the call to a fraudulent number controlled by the attacker,” explains the new Zimperium report. “The malicious app will deceive the user, displaying a convincing fake UI that appears to be the legitimate Android’s call interface showing the real bank’s phone number.”

“The victim will be unaware of the manipulation, as the malware’s fake UI will mimic the actual banking experience, allowing the attacker to extract sensitive information or gain unauthorized access to the victim’s financial accounts,” the report added.

Android home screen (Kurt “CyberGuy” Knutsson)

ANDROID BANKING TROJAN EVOLVES TO EVADE DETECTION AND STRIKE GLOBALLY

The malware can also steal your data

This malware not only hijacks your calls but can also steal your data. It gets access to Android’s Accessibility permissions, which basically gives it free rein to do whatever it wants. The developer of the malware has also added several new commands, including the ability to start livestreaming the device’s screen, take screenshots, unlock the device if it’s locked and temporarily turn off auto-lock. It can also use accessibility features to mimic pressing the home button, delete images specified by the command server, and access, compress and upload photos and thumbnails from storage, especially from the DCIM folder.

Android phone (Kurt “CyberGuy” Knutsson)

ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA

6 ways to protect yourself from FakeCalls malware

1) Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but the FakeCalls malware proves it’s not enough. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. Also, avoid clicking on any links in messages or emails that seem suspicious. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. 

Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2) Download apps from reliable sources: It’s important to download apps only from trusted sources, like the Google Play Store. The FakeCalls malware infects your phone when you download an app from an unknown link. As an Android user, you should only download apps from the Play Store, which has strict checks to prevent malware and other harmful software. Avoid downloading apps from unknown websites or unofficial stores, as they pose a higher risk to your personal data and device. Also, never trust download links that you receive through SMS.

3) Be cautious with app permissions: Always review the permissions requested by apps before installation. If an app requests access to features that seem unnecessary for its function, it could be a sign of malicious intent. Do not give any app Accessibility permissions unless you really need to. Avoid granting permissions that could compromise your personal data.

4) Regularly update your device’s operating system and apps: Keeping your software up to date is crucial, as updates often include security patches for newly discovered vulnerabilities that could be exploited by malware like FakeCalls.

5) Monitor financial activity regularly: Check your bank and credit card statements often for unauthorized transactions. Set up alerts for any account activity, which can notify you immediately if suspicious activity occurs.

6) Limit sensitive transactions on mobile: Whenever possible, avoid performing high-risk transactions (like large money transfers) on your mobile device, especially if you’re in public or connected to unsecured Wi-Fi. Use a secure computer or contact your bank directly from a verified number.

THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION

Kurt’s key takeaway

Hackers are constantly upgrading their tactics and finding clever ways to hack your devices and scam you out of your hard-earned money. I really think Android phone manufacturers and Google need to step up their game on security to help keep users from getting hacked so often. I don’t see the same level of malware affecting iPhones.

How comfortable are you using your mobile phone for financial transactions, and what would make you feel safer? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Guess the artist, win five bucks. Whether you’re a random person on the streets of New York, an A-list celebrity, or the sitting Vice President of the United States, that’s the pitch behind one of the most fun music shows on social media. You show up, you get some headphones and a microphone, and you hope you know what song is playing.

The show is called Track Star, and it’s hosted by Jack Coyne. On this episode of The Vergecast, the first in our three-part miniseries about the future of music, Coyne joins the show to tell us the story of Track Star.

We talk about the show’s beginnings as a trivia show about New York called Public Opinion, how Coyne and his co-creators figured out the show’s structure and pace, how he thinks about his role as the host, and why a bunch of famous people started clamoring to be on the show. Coyne never expected Track Star to feature the likes of Ed Sheeran, Olivia Rodrigo, Jack Antonoff, Nelly Furtado, Kamala Harris, and Oprah, but it happened. And somewhat remarkably, it didn’t change the show at all.

We also dig into why a show like Track Star works, and why it matters, in the current music landscape. Coyne and his team have big plans for expanding the franchise, too, and sees a place for Track Star even in an online world already overloaded with stuff to listen to. If you start with music, conversation, and a decent playlist, there are plenty of places you can go.

If you want to know more about everything we discuss in this episode, here are some links to get you started: