Technology

Tesla Model 3 is among the top 10 choices for car buyers in 2020, according to Consumer Reports. The nonprofit organization released its &Top Picks& of the year on Thursday, and it included Teslamost affordable vehicle alongside cars from automakers including Toyota, Subaru, Honda, Kia and Lexus.

The Model 3 was chosen as one of three vehicles in the $45K-$55K category, alongside the Lexus RX and the Toyota Supra. CR lauded its &thrilling driving experience,& including &impressive handling and quick precise steering [that] help it feel like a sports car.& They did ding it slightly for having a &stiff ride& overall, but said that thatmore than made up for by its long EV battery range and emission-free eco-friendly qualities.

Consumer Reports also specifically called out a worry about the Model 3 that &Autopilot, an optional system on the vehicle, does not require the driver to stay engaged, creating safety concerns.& Tesla has always positioned Autopilot as a driver-assist feature that still requires a driver to be ready to take over control at a momentnotice, but critics have suggested its implementation can lead to misuse resulting in inattentiveness.

Clearly, that concern wasn&t enough to prevent CR from counting the Model 3 among its top recommendations for vehicles in 2020. Tesla also ended up ranking 11th overall out of 33 automakers in Consumer Reports& 2020 automotive brand report card, climbing eight positions from last year. The Model 3, and the rapid improvements that Tesla was able to make in its production as it scaled assembly of the vehicle, clearly helped it in the eyes of the consumer-focused nonprofit.

A spyware app designed to &monitor everything& on a victimphone has been secretly installed on thousands of phones.

The app, KidsGuard, claims it can &access all the information& on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls.

But a misconfigured server meant the app was also spilling out the secretly uploaded contents of victims& devices to the internet.

These consumer-grade spyware apps — also known as &stalkerware& — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their childactivities, many have repurposed the apps to spy on their spouses. Thatprompted privacy groups and security firms to work together to help better identify stalkerware.

KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a &stealthy& way to keep children safe, but also can be used to &catch a cheating spouse or monitor employees.&

But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.

ClevGuardwebsite, which makes the KidsGuard phone spyware (Image: TechCrunch)

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims& phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. Itbelieved the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmannfindings.

The app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes. (ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Applepolicies.) The app has to be installed by a person with physical access to a victimphone, but the app does not require rooting or jailbreaking. The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, which helps to prevent malicious apps from running.

Once installed, ClevGuard says its app works in &stealth& and isn&t visible to the victim. It does that by masquerading itself as an Android &system update& app, which looks near-indistinguishable from legitimate system services.

And because thereno app icon, itdifficult for a victim to know their device has been compromised.

KidsGuard is designed to look like an Android app (Image: TechCrunch)

Because we only had the Android app and not a paid subscription to the service, we were limited in how much we could test. Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victimphone, including whatstored in their photos and video apps, and recordings of the victimphone calls.

The app also gives whomever install the app access to who the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts the ability to monitor a victimactivities on dating apps like Tinder. The app secretly takes screenshots of a victimconversations in apps like Snapchat and Signal to capture the messages before they are set to disappear.

The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.

Although the app says it can access a victimcontacts, the uploaded data stored in the exposed bucket did not include contact lists or easily identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.

But one victim we spoke to said she found out just a few days earlier that spyware had been installed on her phone.

&It was my husband,& said the victim. The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone. &I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,& she said.

ClevGuard shut down the exposed cloud storage bucket after we contacted the company. We also contacted Alibaba, which also alerted the company of the exposure.

&This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,& said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, who also examined the app.

&The fact that this also includes the data of young children is both alarming and sickening,& said Quintin. &This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware industry.&

Itthe latest in a long stream of spyware companies that have either had data breaches or exposed systems. Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy. The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving sensitive victim data.

If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755&8849.

WarnerMedia and YouTube TV today announced a distribution deal that will bring HBO and Cinemax to the Google-owned live TV streaming service for the first time as well as, notably, WarnerMedianew service HBO Max, set to launch this spring.

That means that YouTube TV customers will have the option to add-on either HBO or Cinemax to their current subscription, as they can today on other streaming services like Hulu. Alternately, they&ll be able to opt for HBO Maxexpanded streaming service instead.

The new agreement will also allow YouTube TV to continue to carry the WarnerMedia networks TBS, TNT, truTV, CNN, HLN, Turner Classic Movies, Adult Swim and Cartoon Network, which have been available to YouTube TV since 2018.

&As consumers& media consumption habits continually evolve and the landscape becomes more and more dynamic, our goal remains constant, and that is to make the portfolio of WarnerMedia networks available as widely as possible,& said Rich Warren, president of WarnerMedia Distribution, in a statement. &YouTube has been a valued partner for a number of years, and we&re pleased to not only extend our existing agreement, but also make HBO and Cinemax & and soon HBO Max & available to YouTube TV customers for the first time.&

HBO Max is WarnerMediapreviously announced direct-to-consumer streaming service, which includes the HBO library as well as films from Warner Bros., third-party licensed programs and 31 Max Originals. Combined with HBO series, HBO Max will stream 69 originals in its first year.

Among these is a &Gossip Girl& sequel, a Mindy Kaling comedy called &College Girls,& an adaptation of the popular novel &Circe,& a superhero series &DC Superhero High,& a &Dune& series, a &Grease& reboot, a reboot of &The Boondocks,& &The Green Lantern,& an Issa Rae comedy, a Ridley Scott sci-fi series, a new documentary on Anthony Bourdain, adocumentary about Amy Schumer,a Melissa McCarthy comedy film,a documentary with Monica Lewinskyand other scripted and unscripted shows. It also has a new deal with J.J. Abrams& Bad Robot and anoverall deal with Lisa Ling.

The company says the service will debut in May with 10,000 hours of film and TV, but will continue to grow over time. It is set to cost $14.99 per month.

With the additions of HBO, YouTube TV viewers can gain access to shows like &Watchmen,& &Big Little Lies,& &Last Week Tonight with John Oliver,& &Succession,& &Westworld,& &The Outsider,& &Barry,& &Insecure,& and &Curb Your Enthusiasm,& as well as classics like &Game of Thrones,& &The Sopranos,& &The Wire& and &Sex and the City.& Upcoming HBO releases will include &High Maintenance,& &My Brilliant Friend,& &The Plot Against America,& &The Undoing& and &I Know This Much Is True.&

Meanwhile, Cinemax brings its own slate of originals, including &Strike Back,& &Trackers& and &Gangs of London,& as well as movies like &Boy Erased,& &First Man& and &Bad Times at the El Royale.&

While HBO and Cinemax are offered to cord-cutters as over-the-top subscriptions in a number of places, WarnerMediadistribution plans for HBO Max are only now starting to be revealed. It makes sense that WarnerMedia would look to grow its distribution partnerships in the wake of the increased streaming competition arriving this year, including NBCUPeacock and an expanded CBS All Access, announced today by ViacomCBS.

DigitalOcean, a cloud infrastructure provider targeting smaller business and younger companies, announced today that it has secured $100 million in new debt from a group of investors, bringing its 2016-era debt raise to a total of around $300 million. The companynearly $200 million debt raise in 2016 was preceded by an $83 million Series B in 2015.

TechCrunch spoke with DigitalOcean CEO Yancey Spruill (hired in 2019, along with a new, IPO-experienced CFO; the company added a new CMO earlier this year) to get under the skin of the new funding, and better understand the companyrevenue scale, its financial health and its future IPO plans.

The firm intends to use the new funds to invest in partnerships, boost product investment and grow what its CEO called an &early-stage& inside sales capacity.

For readers of our regular $100 million ARR club series, consider this something of a sister post. We&ll induct DigitalOcean later on. Today, letfocus on the companymomentum, and its choice of selecting debt over equity-derived fundraising.

Contextual growth

DigitalOcean is a large private company in revenue terms, with the former startup reporting an annualized run rate of $200 million in 2018 and $250 million toward the end of 2019. According to Spruill, all the companyrevenue is recurring, so we can treat those figures as effective annual recurring revenue (ARR) results.

Sticking to the financial realm, DigitalOcean told TechCrunch that it has a mid-20s percentage growth rate, and the company claims that its EBITDA (an adjusted profit metric) are in the low 20s. Citing a &strategy over the next several years to continue to focus very specifically on the SMB and developer communities,& Spruill told TechCrunch that DigitalOcean will scale to $1 billion in revenue in the next five years, and it will become free cash flow profitable (something the CEO also referred to, loosely, as profitability) in the next two.

All that and the company expects to reach a $300 million annualized run rate inside the first half of 2020. How has it done all of that without raising new capital since it put roughly $200 million in debt onto its book back in 2016? A good question. Lettalk about DigitalOceaneconomics.

Economic efficiency

DigitalOcean has a pretty efficient go-to-market motion, which in human terms means that it can attract new customers at relatively low costs. It does this, per the CEO, by attracting millions of folks (around four million, he said) to its website each month. Those turn into tens of thousands of new customers.

Because DigitalOcean is a self-serve SaaS business, folks can show up and get started without hand-holding from sales. Sales cycles are expensive and slow. But, while allowing small companies to sign up on their own sounds attractive, companies that often lean on this acquisition method struggle with churn. So, I asked Spruill about that, specifically digging into customer churn via graduation, the pace at which customers that joined DigitalOcean as small companies left it for other players like Azure and AWS as they themselves grew (quote slightly condensed for readability):

Like any self-serve, early-stage, or SMB-focused business, [the] first three to four months is critical for [customers]. But when you look at our customer base over time — we look at every cohort of the eight year history of our company — all of our cohorts have grown each year, and our churn, which is what [your graduation rate] question is, do customers leave our platform, is de minimis after customers have been on our platform for a year or more.

So it doesn&t appear that churn is a catastrophe at DigitalOcean, which gives it what I&d call pretty attractive economics: Customers come in at relatively low customer acquisition costs, and with churn slipping very low after an initial quarter or so, the company can extract gross margin from those customers for quite some time. What does it do with that cash? It reinvests it. Herehow Spruill explained that process:

The high retention rates of the customers and the strong revenue growth enable cash flow to support the growth and investment of the business and paying and supporting the debt. And when you think about the dilution, when you think about a business at our size and scale — the roughly $400 million of capital raised is probably the right proxy, if you look at our peers and our size and stage of company development — most of them the vast majority of the capital is equity. In our case, only a quarter of the capital, a little over quarter the capital is equity. So we&re going to use the cash flow leverage of the business to drive enormous returns to the equity in terms of not taking on that significant dilution, and still being able to grow the business in a in a responsible and exciting way.

The chorus sound effect you are hearing in the background are the companyearly-stage investors rejoicing at DigitalOcean not selling more shares to grow, concentrating the value-upside to existing shares. Shares that they own a lot of.

So letsum quickly: DigitalOcean is working to carve out an SMB and developer-focused cloud infra niche, keeping its economics in a good place by using low-CAC, self-serve revenue generation. The margins from that are paying for the companydevelopment, and its overall economics are good enough to allow it to leverage debt to invest in itself instead of equity. Overall, not what I expected to hear this morning, but thatthe fun part of news.

Whatin the future? Probably not an IPO any time soon. The company just raised more debt, money that it probably intends to use before debuting. The CEO told TechCrunch that &the IPO option for DigitalOcean is on the table,& going on to cite his companygrowth, growth rate, operating margins, &soon-to-be free cash flow margins& and scale as allowing the upstart &to have the conversation that this is a company that could go public.&

Next, adding DigitalOcean to the $100 million ARR club, and then I fancy a few more revenue milestones until an eventual S-1.

We reported today on KidsGuard, a powerful mobile spyware. Not only is the app secretly installed on thousands of Android phones without the owners& consent, it also left a server open and unprotected, exposing the data it siphoned off from victims& infected devices to the internet.

This consumer-grade spyware also goes by &stalkerware.& Itoften used by parents to monitor their kids, but all too frequently itrepurposed for spying on a spouse without their knowledge or consent. These spying apps are banned from Apple and Googleapp stores, but those bans have done little to curb the spread of these privacy invading apps, which can read a victimmessages, listen to their phone calls, track their real-time locations and steal their contacts, photos, videos and anything else on their phones.

Stalkerware has become so reviled by privacy experts, security researchers and lawmakers that antivirus makers have promised to do more to better detect the spyware.

TechCrunch obtained a copy of the KidsGuard app. Using a burner Android phone with the microphones and cameras sealed, we tested the spywarecapabilities. We also uploaded the app to online malware scanning service VirusTotal, which runs uploaded files against dozens of different antivirus makers. Only eight antivirus engines flagged the sample as malicious — including Kaspersky, a member of the Coalition Against Stalkerware and F-Secure.

Yoong Jien Chiam, a researcher at F-SecureTactical Defense unit, analyzed the app and found it can obtain &GPS locations, account name, on-screen screenshots, keystrokes, and is also accessing photos, videos, and browser history.&

KidsGuarddeveloper, ClevGuard, does not make it easy to uninstall the spyware. But this brief guide will help you to identify if the spyware is on your device and how to remove it.

Before you continue, some versions of Android may have slightly different menu options, and you take these following steps at your own risk. This only removes the spyware, and does not delete any data that was uploaded to the cloud.

How to identify the spyware

If you have an Android device, go to Settings >Apps, then scroll down and see if &System Update Service& is listed. This is what ClevGuard calls the app to disguise it from the user. If you see it, it is likely that you are infected with the spyware.

First, remove the spyware as a &device administrator&

Go to Settings > Security, thenDevice administrators, then untick the &System Update Service& box, then hit Deactivate.

Then remove the app&usage access&

Now, go back to Settings > Security, then scroll to Apps with usage access. Once here, tap on &System Update Service,& then switch off the permit usage toggle.

Also remove the spyware¬ification access&

Once that is done, go back to Settings > Sound - notification, then go to Notification access. Now switch off the toggle for &System Update Service.&

Now you can uninstall the spyware from your device

Following those steps, you have effectively disabled the spyware. Now you are able to uninstall it. Go to Settings > Apps and scroll down to &System Update Service.& You should be able to hit Uninstall, but you may need to hit Force Stop first. Tap OK to uninstall the app. This may take a few minutes.

Secure your device again

Now that you&ve rid your device of the spyware, you&ll need to enable a couple of settings that were switched off when your device was first infected. Firstly, go back to Settings > Security, then switch off the toggle for Unknown sources. Secondly, go to the Play Store > Play Protect. If you have the option, select Turn on. Once iton, you should check to ensure that it &looks good.&