Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....
Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users' browsing history and inserting tracking code into specific ecommerce sites they visited. ArsTechnica: The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites. The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased. To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection.

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

Google is trying "to make it easier for developers to create Android apps that connect in some way across a range of devices," reports the Verge. Documentation for the software development kit says it will simplify development for "multi-device experiences."

"The Cross device SDK is open-source and will be available for different Android surfaces and non-Android ecosystem devices (Chrome OS, Windows, iOS)," explains the documentation, though the current developer preview only works with Android phones and tablets, according to the Verge.

But they report that Google's new SDK "contains the tools developers need to make their apps play nice across Android devices, and, eventually non-Android phones, tablets, TVs, cars, and more." The SDK is supposed to let developers do three key things with their apps: discover nearby devices, establish secure connections between devices, and host an app's experience across multiple devices. According to Google, its cross-device SDK uses Wi-Fi, Bluetooth, and ultra-wideband to deliver multi-device connectivity.... [I]t could let multiple users on separate devices choose items from a menu when creating a group food order, saving you from passing your phone around the room. It could also let you pick up where you left off in an article when swapping from your phone to a tablet, or even allow the passengers in a car to share a specific map location with the vehicle's navigation system.

It almost sounds like an expansion of Nearby Share, which enables users on Android to transfer files to devices that use Chrome OS and other Androids. In April, Esper's Mishaal Rahman spotted an upcoming Nearby Share update that could let you quickly share files across the devices that you're signed into Google with. Google also said during a CES 2022 keynote that it will bring Nearby Share to Windows devices later this year.
"This SDK abstracts away the intricacies involved with working with device discovery, authentication, and connection protocols," argues Google's blog post, "allowing you to focus on what matters most — building delightful user experiences and connecting these experiences across a variety of form factors and platforms."

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

The USB Rubber Ducky "has a new incarnation, released to coincide with the Def Con hacking conference this year," reports The Verge. From the report: To the human eye, the USB Rubber Ducky looks like an unremarkable USB flash drive. Plug it into a computer, though, and the machine sees it as a USB keyboard -- which means it accepts keystroke commands from the device just as if a person was typing them in. The original Rubber Ducky was released over 10 years ago and became a fan favorite among hackers (it was even featured in a Mr. Robot scene). There have been a number of incremental updates since then, but the newest Rubber Ducky makes a leap forward with a set of new features that make it far more flexible and powerful than before.

With the right approach, the possibilities are almost endless. Already, previous versions of the Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms. The newest Rubber Ducky aims to overcome these limitations.

It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that). That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect. Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.

Nvidia is upgrading its GeForce Now game streaming service to support 1440p resolution at 120fps in a Chrome or Edge browser. GeForce Now members on the RTX 3080 tier of the service will be able to access the new browser gameplay options today by selecting 1440p on the GeForce Now web version. From a report: Nvidia originally launched its RTX 3080 GeForce Now membership tier last year, offering streams of up to 1440p resolution with 120fps on PCs and Macs or 4K HDR at 60fps on Nvidia's Shield TV. Previously, you had to download the dedicated Mac or Windows apps to access 1440p resolution and 120fps support, as the web version was limited to 1080p at 60fps.

ChromeOS 104 is rolling out starting today with several big interface updates that improve how you use the operating system. 9to5Google reports: ChromeOS 104 introduces proper dark and light themes that touch every aspect of the user interface. This includes the shelf, app launcher, Files app, and the backgrounds of various settings pages. You can enable the dark theme from the second page of Quick Settings. Google also created wallpapers that "subtly shift from light to dark," depending on the set theme. After updating, you'll notice that the month and day now appear to the left of the time in the shelf. Tapping opens a monthly calendar with the ability to tap a day to see all events, with an additional click opening the Google Calendar PWA. You can see other months and quickly return to "Today." This takes up the same size as Quick Settings, while any available alerts appear just above. Notifications from the same sender are now grouped together, while there are bigger touch targets for alert actions.

The redesigned Launcher that's more compact and does not take up your entire screen is seeing wider availability. Additionally, some might be able to quickly search for Android apps from the Play Store with an inline rating. Version 104 of ChromeOS introduces a more full-featured Gallery app (with a new purple icon) that can open PDFs with the ability to fill out forms, sign documents, and make text annotations, like highlights. There's also a new Wallpaper & style application that's accessed by right-clicking the shelf and selecting the last option. Besides the collections curated by Google, you can set wallpapers from your Google Photos library. There's the ability to select an album and have a new background appear daily. This experience also lets you set the device theme (auto-switching available), and Screen saver with three styles available: Slide show, Feel the breeze, and Float on by.

An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.

Google was originally planning to get rid of third-party cookies in its browser by 2022, but that was later pushed back to 2023. That cookies deadline for Chrome is now being delayed to 2024. From a report: The Privacy Sandbox is Google's initiative to replace third-party cookies -- as well as cross-site tracking identifiers, fingerprinting, and other covert techniques -- once privacy-conscious alternatives are in place. Since then, Google has been working on new technologies for the past few years and more recently released trials in Chrome for developers to test. Citing "consistent feedback" from partners, Google is "expanding the testing windows for the Privacy Sandbox APIs before we disable third-party cookies in Chrome," with that phase out now set to begin in the second half of 2024.

"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

In an upcoming update, Chromebooks equipped with mobile data will be able to serve as a Wi-Fi hotspot for other devices, just like Android and iOS devices can today. 9to5Google reports: The work-in-progress feature has made its first appearance in ChromeOS code in the form of a new flag coming to chrome://flags. The details are quite slim at the moment, with little more than the flag description available today. That said, it's easy to imagine how a mobile hotspot would work on ChromeOS, based on how the same feature works on Android phones today.

Presumably, you would be able to choose the name and password for your Chromebook's hotspot through the Settings app in ChromeOS, where you can also toggle the hotspot on and off. If it truly follows the example of Android, there would also be an easy way to turn on your hotspot through a Quick Settings toggle.

Denmark is effectively banning Google's services in schools, after officials in the municipality of Helsingor were last year ordered to carry out a risk assessment around the processing of personal data by Google. TechCrunch reports: In a verdict published last week, Denmark's data protection agency, Datatilsynet, revealed that data processing involving students using Google's cloud-based Workspace software suite -- which includes Gmail, Google Docs, Calendar and Google Drive -- "does not meet the requirements" of the European Union's GDPR data privacy regulations. Specifically, the authority found that the data processor agreement -- or Google's terms and conditions -- seemingly allow for data to be transferred to other countries for the purpose of providing support, even though the data is ordinarily stored in one of Google's EU data centers.

Google's Chromebook laptops, and by extension Google Workspace, are used in schools across Denmark. But Datatilsynet focused specifically on Helsingor for the risk assessment after the municipality reported a "breach of personal data security" back in 2020. While this latest ruling technically only applies to schools in Helsingor for now, Datatilsynet notes that many of the conclusions it has reached will "probably apply to other municipalities" that use Google Chromebooks and Workspace. It added that it expects these other municipalities "to take relevant steps" off the back of the decision it reached in Helsingor. The ban is effective immediately, but Helsingor has until August 3 to delete user data. A Google spokesperson told TechCrunch in a statement: "We know that students and schools expect the technology they use to be legally compliant, responsible, and safe. That's why for years, Google has invested in privacy best practices and diligent risk assessments, and made our documentation widely available so anyone can see how we help organizations to comply with the GDPR.

Schools own their own data. We only process their data in accordance with our contracts with them. In Workspace for Education, students' data is never used for advertising or other commercial purposes. Independent organizations have audited our services, and we keep our practices under constant review to maintain the highest possible standards of safety and compliance."

After over a decade as a mobile-only service, Snapchat is coming to your desktop. CNBC reports: Snap, the parent of the popular photo and messaging app, said Monday that it's debuting Snapchat for Web, allowing users to send messages and make video calls to their contacts from their computers. The new desktop version of Snapchat will at first only be available to Australian and New Zealand users, in addition to Snapchat+ subscribers in the U.S., U.K. and Canada. Snap launched Snapchat+ in June, allowing users to pay $3.99 a month for more advanced features, like changing the style of their app icon and seeing who's viewed their content.

The web offering will be a more stripped-down version of the mobile app, primarily focusing on the app's messaging feature as opposed to its Stories feature. Like the core Snap app, messages will disappear after 24 hours, and any Snaps users watch from their desktop computers will delete right after viewing. Eventually, Snap says it will bring more features of the app to desktop version, including the ability for users to liven up their video calls with the use of Lenses. Currently, people will have to access Snapchat for Web via the Chrome browser, but the company said that it would soon support other browsers and could release a desktop app in the future.

An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.

A new study from Germany has found that working in virtual reality does not increase productivity, comfort, or wellbeing, but does say the report will help identify opportunities for improving the experience of working in VR in the future. From a report: The project was headed by Dr Jens Grubert, a specialist in human-computer interaction at Coburg University, Germany. It involved 16 people who had to work for five days, eight hours a week (with 45 mins lunch break), in VR. The participants used Meta Quest 2 VR headsets combined with a Logitech K830 keyboard and Chrome Remote Desktop. The equipment was chosen specifically to create a realistic scenario of what users would be using in today's world.

Participants were also asked specific VR-related questions ('do you feel sick?' or 'are your eyes starting to hurt?'). The research team also monitored the worker's heartbeats and typing speed. The published paper, entitled 'Quantifying the Effects of Working in VR for One Week' found "concerning levels of simulator sickness, below average usability ratings and two participants dropped out on the first day using VR, due to migraine, nausea and anxiety." The study found that, as expected, VR results in significantly worse ratings across most measures. Each test subject scored their VR working experience versus working in a physical environment, many felt their task load had increased, on average by 35%. Frustration was by 42%, the 'negative affect' was up 11%, and anxiety rose by 19%. Mental wellbeing decreased by 20%., eye strain rose 48%, and VR ranked 36% lower on usability. Participants' self-rated workflow went down by 14% and their perceived productivity dropped by 16%.

Google is releasing Chrome OS Flex today, a new version of Chrome OS that's designed for businesses and schools to install and run on old PCs and Macs. From a report: Google first started testing Chrome OS Flex earlier this year in an early access preview, and the company has now resolved 600 bugs to roll out Flex to businesses and schools today. Chrome OS Flex is designed primarily for businesses running old Windows PCs, as Google has been testing and verifying devices from Acer, Asus, Dell, HP, Lenovo, LG, Toshiba, and many more OEMs. Flex will even run on some old Macs, including some 10-year-old MacBooks. The support of old hardware is the big selling point of Chrome OS Flex, as businesses don't have to ditch existing hardware to get the latest modern operating system. More than 400 devices are certified to work, and installation is as easy as using a USB drive to install Chrome OS Flex.

EU antitrust regulators are investigating the video licensing policy of the Alliance for Open Media (AOM), whose members include Alphabet Google, Amazon, Apple and Meta , the European Commission said on Thursday. Reuters reports: Founded in 2015, the group aims to create a new standard software for streaming higher-quality 4K video on browsers, devices, apps, and gaming, known as AV1. While the AV1 software is not yet adopted widely, Netflix and YouTube have started using it for some customers, and browsers such as Google Chrome and Firefox have started to support the new format. Intel, Huawei, Mozilla, Samsung and Nvidia are also AOM members, according to its website.

In a questionnaire sent to some companies earlier this year and seen by Reuters, the EU watchdog said it was investigating alleged anti-competitive behavior related to the license terms of AV1 by AOM and its members in Europe. "The Commission has information that AOM and its members may be imposing licensing terms (mandatory royalty-free cross licensing) on innovators that were not a part of AOM at the time of the creation of the AV1 technical, but whose patents are deemed essential to (its) technical specifications," the paper said. It said this action may be restricting the innovators' ability to compete with the AV1 technical specification, and also eliminate incentives for them to innovate.

The questionnaire also asked about the impact of an AOM patent license clause in which licensees would have their patent licenses terminated immediately if they launched patent lawsuits asserting that implementation infringes their claims. Companies risk fines of up to 10% of their global turnover for breaching EU antitrust rules.

Google is testing a method to boost the battery life of Chromebooks by changing how they work with the Chrome web browser. It's shaping up to be a potentially attractive update for users who leave a lot of tabs open on their Chromebooks. From a report: Google Chrome currently cuts the CPU time and throttles the CPU load for any tab you haven't touched or looked at for five minutes. Google calls this "intensive throttling of JavaScript timer wake up," and it's supposed to help conserve system battery life. The feature also makes the page wake up once every 60 seconds to check if you're actively using the tab again. It seems Google is interested in pushing the idea even further, at least for Chromebook users. About Chromebooks this week spotted a new flag in Chrome OS 105, currently being tested in the dev channel, that changes this five-minute period to 10 seconds.

As noted by a Reddit user and confirmed by Ars Technica, Microsoft's xCloud game streaming looks noticeable worse when running on Linux than Windows. From the report: With the Linux User-Agent, edges are generally less sharp and colors are a little more washed out. The difference is even more apparent if you zoom in on the Forza logo and menu text, which shows a significant reduction in clarity. Interestingly, the dip in quality seems to go away if you enable "Clarity Boost, an Edge-exclusive feature that "provid[es] the optimal look and feel while playing Xbox games from the cloud," according to Microsoft. That's great for Linux users who switched over to Microsoft Edge when it launched on Linux last November. But Linux users who stick with Firefox, Chrome, or other browsers are currently stuck with apparently reduced streaming quality.

That Linux quality dip has led some to speculate that Microsoft is trying to reserve the best xCloud streaming performance for Windows machines in an attempt to attract more users to its own operating system. But using a Macintosh User-Agent string provides streaming performance similar to that on Windows, which would seem to be a big omission if that theory were true. Microsoft also hasn't published any kind of "best on Windows"-style marketing in promoting xCloud streaming, which would seemingly be a key component of trying to attract new Windows users. (The quality difference could be a roundabout attempt to get Linux users to switch to the Edge browser, where Clarity Boost offers the best possible quality. But that still wouldn't fully explain why Windows users on other browsers, without Clarity Boost, also get better streaming quality than their Linux brethren.)

Others have suggested that the downgrade could simply be a bug caused by Microsoft's naive parsing of the User-Agent strings. That's because the User-Agent strings for Android browsers generally identify themselves as some version of Linux ("Linux; Android 11; HD1905," for example). Microsoft's xCloud code might simply see the "Linux" in that string, assume the user is running Android, then automatically throttle the streaming quality to account for the (presumably) reduced screen size of an Android phone or tablet.