Thousands of Android-spying apps in the wild: what to do about SonicSpy

Thanks to Chen YuRowland Yu and Ferenc László Nagy of SophosLabs for their behind-the-scenes work.

Android users have a new threat to be aware of: spyware apps that steal data from the devices they infect. Some samples made their way to Google Play, but the vast majority is coming from other online sources.

Researchers from SophosLabs and elsewhere have found three cases of SonicSpy-infused apps in Google Play: Soniac, Hulk Messenger, and Troy Chat – messaging apps that hide their spying functionality and await orders from command-and-control servers.

Google booted the apps from its store after they were discovered. Researcher Chen Yu said the Google Play versions had “tiny installation numbers and existed for a very short time”. Though three were found on Google Play, SophosLabs has counted 3,240 SonicSpy apps in the wild. Some reports place the number at 4,000.

According to multiple reports, a single bad actor – probably based in Iraq – has released these apps into the wild since February.

How it operates

The various SonicSpy-infused apps share the ability to:

  • Silently record audio
  • Take photos with the device’s camera
  • Make outbound calls
  • Send text messages to whatever phone numbers the attacker chooses
  • Retrieve data from contacts, Wi-Fi hotspots and call logs

On the devices it infects, SonicSpy removes its launch icon to hide itself. It then connects to a control server on port 2222 of arshad93.ddns[.]net, according to Michael Flossman, a researcher from Lookout who first reported the spyware’s appearance.

Defensive measures

Sophos customers are protected from the SonicSpy apps, which are detected as Andr/HiddenAp-W, Andr/Axent-CY, Andr/FakeApp-BK and Andr/Xgen-Y.

The continued presence of malicious Android apps demonstrates the need to use an Android antivirus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, but they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:

  • Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?

from SophosLabs blog

Android Things Developer Preview 5

Posted by Wayne Piekarski,
Developer Advocate for IoT

Today, we’re releasing Developer Preview 5 (DP5) of Android Things, which
includes the major change of being based on the upcoming Android O release.
Android Things is Google’s platform to enable Android Developers to create
Internet of Things (IoT) devices, and seamlessly scale from prototype to

Android O

Android O is currently under Developer
for phones and tablets, and DP5 is now based on this upcoming
release (previous releases were based on Android N). This means that your future
Android Things applications should target API 26 to work correctly on the
platform with our support libraries.

Hardware Changes

DP5 now adds support for the new NXP SprIoT
design, as listed in our developer kits documentation.
With Intel discontinuing the Edison and Joule hardware
designs, these platforms are moving to legacy support. They will not continue to
receive the latest platform updates, but developers may continue to access the
DP4.1 system images from the Android Things Console.

An important goal of Android Things is to help developers seamlessly scale from
prototype to production. When we exit Developer Preview, we will differentiate
between hardware platforms targeted for prototyping-only and hardware reference
designs that can scale to production. Production-ready hardware will satisfy
Google’s security requirements and include long term support from the silicon
manufacturers. We will have more to share later on.


With the move to the Android O codebase, there are new API features from Android
as well as specific features for Android Things. For those developers using
UserDriver APIs, you will need to add new permissions to your
AndroidManifest.xml. The documentation
contains details about the permissions needed for each driver type. DP5 also now
supports OpenGL ES 2.0 and WebView on the Raspberry Pi 3, which was a highly
requested feature from developers. We have also implemented dynamic
pin muxing
for the Raspberry Pi 3, with pins being configured at runtime
depending on what features are being used.

Android Studio

The samples for Android Things are now available directly in Android Studio for
browsing and importing. You can now go to File, New, Import Samples, and search
for Things to see everything that is available. We have a wide range of samples,
demonstrating how to interact with buttons, sensors, LEDs, and displays, as well
as implementing Google Assistant and TensorFlow.

Android Things Console

We recently launched
the Android Things
, which provides the ability to support over-the-air updates (OTA) to
Android Things devices. We have recently made a number of UX improvements to the
console to improve usability and functionality. DP5 is now available within the
Android Things Console, but the DP5 update will not be pushed automatically to
devices without your intervention. You will need to update your application for
DP5, then create a new update and push it via the console yourself.


With Android Things being updated to Android O, significant changes have been
made to the platform. Please send us your feedback by filing bug
and feature
, and asking any questions on Stack
. To start using DP5, use the Android Things Console to
download system images and update existing devices. More information about the
changes are available in the release
. You can also join Google’s IoT
Developers Community
on Google+, a great resource to get updates and discuss
ideas. Also, we have our new
, where everyone can share the amazing projects they have built!

from Android Developers Blog

Automotive Grade Linux Reaches Key Car Platform Milestones

By Jack M. Germain

Aug 3, 2017 4:07 PM PT

Automotive Grade Linux on Wednesday released version 4.0 of the AGL infotainment platform and announced new projects to support telematics, instrument cluster, heads-up-display and a virtualization component.

The group also announced that seven new companies have joined AGL and The Linux Foundation. The addition of Brison, Karamba Security, Lear Corporation, Luxoft, Thundersoft, SafeRide Cyber Security and Wipro increases AGL’s membership to more than 100 partners.

The breadth of the seven new companies indicates the range of involvement within the automotive industry for developing a unified open source system for in-vehicle infotainment systems, said Dan Cauchy, executive director of AGL at The Linux Foundation.

A major market analysis coming out soon will show AGL as a separate line item, which shows the momentum AGL has developed within the industry, he told LinuxInsider.

The latest version of AGL’s Unified Code Base includes support for SmartDeviceLink integration, Speech Recognition APIs, secure Over-the-Air Updates, and improvements to the App Framework and Software Development Kit, noted Charles King, principal analyst at Pund-IT.

Under AGL’s Hood

Automotive Grade Linux is a collaborative open source project that brings together automakers, suppliers and technology companies to accelerate the development and adoption of a fully open software stack for the connected car. The collaboration is focused on In-Vehicle Infotainment.

AGL’s Unified Code Base is an open source infotainment platform that can serve as the de facto industry standard. However, AGL is the only organization planning to address all software in the vehicle, including instrument cluster, heads-up display, telematics, advanced driver assistance systems and autonomous driving.

“AGL is quickly gaining momentum across the auto industry, and Toyota’s AGL-based infotainment system puts the AGL platform a step closer towards becoming the de facto industry standard,” said The Linux Foundation’s Cauchy. “The industry is starting to understand the advantages of open source and the impact that AGL can have on product development.”

That involvement from Toyota is a huge step forward, Pund-IT’s King told LinuxInsider. “Along with [the backing of] other major automobile vendor members — including Mazda, Suzuki, Honda and Mercedes — Toyota’s support is likely to significantly boost the AGL industry profile and achievements.”

AGL does not integrate open source with proprietary products. Rather, it is the base platform. AGL is 70 percent to 80 percent of the starting point for a production project.

“Car makers then add their own look and feel with their own user interface, so it looks like their brand, and add the apps that they want,” King pointed out.

Industry-Wide Integration

Car makers can customize AGL all they want. The platform is all AGL. It does not compete with smartphone projection technologies like Android Auto and Apple Car Play.

“For those displays to work, you must first have a full-blown system in the car that is working. The smartphone display does not replace the system in the car at all,” Cauchy said.

AGL ultimately will become the platform that car makers will deploy the most, he predicted. However, it is not there yet.

“The incumbent is QNX, but they are losing market share rapidly because of the success of Linux,” Cauchy said.

“A key advantage to Automotive Grade Linux is that a lot of these OEMs do not want to have a system that is controlled by one company. They want to be in control of their own destiny. With AGL they can customize it to their own brand and do whatever they want with it,” he explained.

Driving Factors

The goal of the UCB infotainment platform is to provide most of the basics of a production infotainment system. Automakers and suppliers customize the rest.

Sharing a single software platform across the industry reduces fragmentation and accelerates time to market by encouraging the growth of a global ecosystem of developers that can build a product once and have it work for multiple automakers.

AGL makes two releases per year, roughly every six months. The industry can start counting on AGL having a steady cadence of releases, said Cauchy.

“We hope the various manufacturers can now take our releases and integrate them in their own products to provide the enhancements and security and bug fixes into their own releases and provide over-the-air updates to their own customers,” he said.

There is much more in AGL’s big picture, noted Pund-IT’s King. AGL has set its sights beyond infotainment. It sees the UCB as a means to support other capabilities, including telematics, instrument cluster and heads-up-display.

“The newly announced Virtualization Expert Group is likely to play a key role in this process, since adopting a virtualization platform and features should enhance the UCB’s security and other capabilities,” he said.

Virtualizing Infotainment Plus

The Virtualization Expert Group, or EG-VIRT, plans to identify a hypervisor and develop an AGL virtualization architecture that will help accelerate time to market, reduce costs and increase security.

An open virtualization solution could allow for the consolidation of multiple applications such as infotainment, instrument cluster, heads-up-display and rear-seat entertainment on a single multicore CPU through resource partitioning.

That approach potentially could reduce development costs by enabling OEMs to run independent operating systems simultaneously from a single hardware board.

Virtualization also could add another layer of security by isolating safety critical functions from the rest of the operating system, which means the software would not be able to access critical controls like the vehicle CAN bus.

Virtualization also will play a key role in the AGL Cockpit Architecture work. This phase, launched in early 2017, expands AGL throughout the entire cockpit to reduce the lead time for integrating commercial applications.

Work in Progress

The value of Linux is essential to AGL’s progress in developing an industry-wide in-car OS, noted Howard Green, vice president of marketing at
Azul Systems.

“AGL is a great Linux distro, and we actually have added it to the support matrix for our Zulu Embedded builds of OpenJDK,” he told LinuxInsider.

The platform has a lot of marquee names behind it, and these new projects, developed in close cooperation with the industry, will help accelerate adoption, Green noted.

“We can not speak to overall sector dominance,” he said. “However, it is clear that AGL has lots of momentum and visibility.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.

from LinuxInsider

By removing VPNs from its Chinese App Store, Apple turns its biggest security asset against its users

By removing VPNs from its Chinese App Store, Apple turns its biggest security asset against its users

Posted by   Martijn Grooten on   Aug 1, 2017

A little over a month ago, Apple‘s iPhone celebrated its tenth birthday. The iPhone has been one of the biggest commercial success stories ever, but it has also been a great success from a security point of view: malware targeting its iOS operating system remains extremely rare.

Malware for iOS is not completely non-existent: for example, at VB2014 a group of FireEye researchers presented a paper in which they demonstrated how the iOS Developer Enterprise Program could be used to install malware; something which was used shortly afterwards by WireLurker. However, in the rare cases iOS malware is found, it often requires the phone to be jailbroken; AdThief is a good example of that.

Apple dedicates a lot of resources to making its operating systems secure, but the main reason for the lack of malware is likely to be its tightly controlled App Store, which protects users against the biggest threat: themselves. Whether it is through opening malicious links sent via email or by installing free versions of paid-for apps, it is almost always a human mistake (understandable as they often are) that leads to an infection.

The App Store makes it almost impossible for such a mistake to lead to malware being installed. For this reason, iPhones are often recommended to those whose threat models include powerful adversaries, for example journalists and activists.

I was thus disappointed to learn that Apple has removed all VPN apps from its Chinese App Store. Though many VPN apps have issues themselves, they do offer extra protection against various threats – and not just the threat of the government finding out you’re doing something they don’t approve of.

I am aware that it is easy for me to criticize Apple: the company says it had no choice but to comply with Chinese law. Failing to do so could have jeopardized the company’s Chinese market and thus could potentially have led to the job losses of thousands of Apple employees. The total removal of the iPhone from China wouldn’t necessarily have made users better off.

Still, I would have liked for Apple to have taken a strong principled stand, like it did when the US government asked it to unlock the iPhone used by the San Bernardino shooter. Sadly, the company will soon have another opportunity to take such a stand: this weekend, Russian president Vladimir Putin signed a law that bans the use of VPNs in Russia.



Latest posts:

To comply with Chinese laws, Apple has removed all iOS VPN apps from its Chinese app store. This means that the company uses iOS’s strongest security asset, its tightly controlled App Store, against its own users.

Today we announce the first two Small Talks for the VB2017 programme: ENISA will provide its perspective on the WannaCry outbreak and the lessons learned from it, while David Harley will talk about the past and present of security product testing.

This week the NoMoreRansom project celebrated its first birthday. It has already helped many victims of ransomware with advice and tools and is an excellent example of collaboration between private and public partners in IT security.

Today, we open the call for last-minute papers for VB2017. Submit before 3 September to have your abstract considered for one of the ten slots reserved for ‘hot’ research.

We’re not ones to make bold claims about our conference, and we suggest you ask past attendees for their opinion, but here are five reasons why we think you should come to VB2017 in Madrid.

from Virus Bulletin news

Dangerous Mobile Banking Trojan Gets ‘Keylogger’ to Steal Everything

Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They have now shifted from traditional to more clandestine techniques that come with limitless attack vectors and are harder to detect.

Security researchers have discovered that one of the most dangerous Android banking Trojan families has now been modified to add a keylogger to its recent strain, giving attackers yet another way to steal victims sensitive data.

Kaspersky Lab’s Senior malware analyst Roman Unuchek


a new variant of the well-known Android banking Trojan, dubbed


, in the mid of last month with a new keylogger feature, which takes advantage of Android’s Accessibility Services.

Trojan Exploits ‘Accessibility Services’ to Add Keylogger

Yes, the keylogger added in the new version of Svpeng takes advantage of

Accessibility Services

— an Android feature that provides users alternative ways to interact with their smartphone devices.

This change makes the Svpeng Trojan able not only to steal entered text from other apps installed on the device and log all keystrokes, but also to grant itself more permissions and rights to prevent victims from uninstalling the Trojan.

In November last year, the Svpeng banking trojan

infected over 318,000 Android devices

across the world over the span of only two months with the help of Google AdSense advertisements that was abused to spread the malicious banking Trojan.

Over a month ago, researchers also discovered another attack taking advantage of Android’s Accessibility Services, called

Cloak and Dagger attack

, which allows hackers to silently take full control of the infected devices and steal private data.

If You Are Russian, You Are Safe!

Although the new variant of the Svpeng malware is not yet widely deployed, the malware has already hit users in 23 countries over the course of a week, which include Russia, Germany, Turkey, Poland, and France.

But what’s worth noticing is that, even though most infected users are from Russia, the new variant of Svpeng Trojan doesn’t perform malicious actions on those devices.

According to Unuchek, after infecting the device, the Trojan first checks the device’s language. If the language is Russian, the malware prevents further malicious tasks—this suggests the criminal group behind this malware is Russian, who are avoiding to violate Russian laws by hacking locals.

How ‘Svpeng’ Trojan Steals Your Money

Unuchek says the latest version of Svpeng he spotted in July was being distributed through malicious websites that disguised as a fake Flash Player.

Once installed, as I have mentioned above, the malware first checks for the device language and, if the language is not Russian, asks the device to use Accessibility Services, which opens the infected device to a number of dangerous attacks.

With having access to Accessibility Services, the Trojan grants itself device administrator rights, displays an overlay on the top of legitimate apps, installs itself as a default SMS app, and grants itself some dynamic permissions, such as the ability to make calls, send and receive SMS, and read contacts.

Additionally, using its newly-gained administrative capabilities, the Trojan can block every attempt of victims to remove device administrator rights—thereby preventing the uninstallation of the malware.

Using accessibility services, Svpeng gains access to the inner working of other apps on the device, allowing the Trojan to steal text entered on other apps and take screenshots every time the victim presses a button on the keyboard, and other available data.

“Some apps, mainly banking ones, do not allow screenshots to be taken when they are on top. In such cases, the Trojan has another option to steal data – it draws its phishing window over the attacked app,” Unuchek says. 

“It is interesting that, in order to find out which app is on top, it uses accessibility services too.”

All the stolen information is then uploaded to the attackers’ command and control (C&C) server. As part of his research, Unuchek said he managed to intercept an encrypted configuration file from the malware’s C&C server.

Decrypting the file helped him find out some of the websites and apps that Svpeng targets, as well as help him obtain a URL with phishing pages for both the PayPal and eBay mobile apps, along with links for banking apps from the United Kingdom, Germany, Turkey, Australia, France, Poland, and Singapore.

Besides URLs, the file also allows the malware to receive various commands from the C&C server, which includes sending SMS, collecting information such as contacts, installed apps and call logs, opening the malicious link, gathering all SMS from the device, and stealing incoming SMS.

The Evolution of ‘Svpeng’ Android Banking Malware

Researchers at Kaspersky Lab initially discovered the Svpeng Android banking malware trojan back in 2013, with primary capability—Phishing.

Back in 2014, the malware was then modified to add a ransomware component that locked victim’s device (by FBI because they visited sites containing pornography) and demanded $500 from users.

The malware was among the first to begin attacking SMS banking, use phishing web pages to overlay other apps in an effort to steal banking credentials and to block devices and demand money.

In 2016, cyber criminals were actively distributing

Svpeng via Google AdSense

using a vulnerability in the Chrome web browser, and now abusing Accessibility Services, which makes Svpeng the most dangerous mobile malware family to date.

How to Protect Your Smartphone From Hackers

With just Accessibility Services, this banking Trojan gains all necessary permissions and rights to steal lots of data from the infected devices.

The malicious techniques of the Svpeng malware even work on fully-updated Android devices with the latest Android version and all security updates installed, so it is little users can do in order to protect themselves.

There are standard protection measures you need to follow to remain unaffected:

  • Always stick to trusted sources, like Google Play Store and the Apple App Store, but only from trusted and verified developers.
  • Most importantly, verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
  • Do not download apps from third party sources, as most often such malware spreads via untrusted third-parties.
  • Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
  • Never click on links provided in an SMS, MMS or email. Even if the email looks legit, go directly to the website of origin and verify any possible updates.
  • Install a good antivirus app that can detect and block such malware before it can infect your device, and always keep the app up-to-date.

from The Hacker News

Apple Removes Apps From China Store That Help Internet Users Evade Censorship

The New York Times

Apple Removes Apps From China Store That Help Internet Users Evade Censorship

Software made by foreign companies to help users skirt China’s internet filters has vanished from Apple’s app store on the mainland.Ng Han Guan/Associated Press

July 29, 2017

HONG KONG — China appears to have received help on Saturday from an unlikely source in its fight against tools that help users evade its Great Firewall of internet censorship: Apple.

Software made by foreign companies to help users skirt the country’s system of internet filters has vanished from Apple’s app store on the mainland.

One company, ExpressVPN, posted a letter it had received from Apple saying that its app had been taken down “because it includes content that is illegal in China.”

Another tweeted from its official account that its app had been removed.

A search on Saturday showed that a number of the most popular foreign virtual-private networks, also known as VPNs, which give users access to the unfiltered internet in China, were no longer accessible on the company’s app store there.


ExpressVPN wrote in its blog that the removal was “surprising and unfortunate.”

It added, “We’re disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China’s censorship efforts.”

Sunday Yokubaitis, president of Golden Frog, a company that makes privacy and security software including VyprVPN, said its software, too, had been taken down from the app store. “We gladly filed an amicus brief in support of Apple in their backdoor encryption battle with the F.B.I.,” he said, “so we are extremely disappointed that Apple has bowed to pressure from China to remove VPN apps without citing any Chinese law or regulation that makes VPN illegal.”

He added, “We view access to Internet in China as a human rights issue, and I would expect Apple to value human rights over profits.”

An Apple spokeswoman declined to comment about the removals, which appear to affect only users in Apple’s China app store — generally those who have indicated a billing address in mainland China.

This is not the first time that Apple has removed apps at the request of the Chinese government, but it is a new reminder of how deeply beholden the tech giant has become to Beijing at a moment when the leadership has been pushing to tighten its control over the internet.

The removals signal a new push by China to control the internet. In the past, the Great Firewall has used technology to disrupt VPNs, and Beijing has shut down Chinese VPNs and even aimed a huge cyberattack at a well-known foreign site hosting code that circumvented the filters.


But they also mark the first time China has successfully used its influence with a major foreign tech platform, like Apple, to push back against the software makers.

While internet crackdowns often peak every five years, ahead of a key Chinese Communist Party congress, this year’s efforts cover fresh ground, a likely indication that stricter controls of things like VPNs will persist after the congress this autumn. Earlier this month, China also began a partial block of the Facebook-owned messaging app WhatsApp.

Greater China is Apple’s largest market outside the United States. That has left the company more vulnerable than almost any other American technology firm to a Chinese campaign to wean itself off foreign technology and tighten control over foreign tech companies operating there.

In response, Apple has made a number of moves to ensure that it stays on Beijing’s good side. Last year, the company complied with what it said was a request from the Chinese authorities to remove from its China app store news apps created by The New York Times.

This month, the company said it would open its first data center in China to comply with a new law that pushes foreign firms to store more of their data in China.

Apple has operated its app store in China for many years with only the occasional run-in with the government. The VPN crackdown and Beijing’s move in December to target news sites indicates that China’s internet regulators have taken a deeper interest, and are exerting more control, over what is available on Apple’s China app store.


July 29, 2017

An earlier version of this article misspelled the name of the software produced by Golden Frog. It is VyprVPN, not VyperVPN.

Carolyn Zhang contributed research from Shanghai.

ADVERTISEMENTHelpSubscribeFeedbackTerms of ServicePrivacyThe New York Times

You’ve reached your limit of 10 free articles a month

To continue reading, subscribe for unlimited access.

  • 99¢

    for the first 4 weeks

  • $3.75

    $2.50/week thereafter

  • Unlimited access to over 250 articles, columns and videos daily.

  • Read offline, on any device. Apps for iPhone®, iPad®, and Android.

Already a subscriber? Log in »

from Error 404 (Not Found)!!1

Watch out for the Android malware that snoops on your phone

Android users have a new strain of malware to worry about – one that sits in the background of infected devices and causes all kinds of trouble.

SophosLabs detects it as Andr/Dropr-FH, but others are calling it GhostCtrl. On the surface, it looks like a variant of OmniRAT, a remote admin tool for Android devices that’s available to the public. The damage this version can do includes:

  • Monitoring text messages, contacts, call logs, location, phone numbers and browsing history.
  • Logging the version of Android it infects, along with the battery level and Bluetooth details.
  • Recording audio and video.
  • Behaving like ransomware and locking up the victim’s files.

According to various press reports, the bad guys are distributing Andr/Dropr-FH via apps designed to look like such legitimate items as Pokemon GO and WhatsApp.

For more on Android malware, check out our 2017 Malware Forecast.

SophosLabs first started detecting versions of the malware in April 2016. It updated customer protections against the latest variants on July 17. Labs has received just above 300 samples so far, though none appear to be coming from Google Play.

How to protect yourself

As noted above, Sophos customers are protected from this malware. Additionally, users can protect themselves by following this advice:

  • Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Consider using Sophos Mobile Security for Android, which is 100% free of charge.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?

from SophosLabs blog