Year: 2020

A security vulnerability in Android could have allowed malicious apps to siphon off sensitive data from other apps on the same device.

App security startup Oversecured found the flaw in Google’s widely-used Play Core library, which lets developers push in-app updates and new feature modules to their Android apps, like language packs or game levels.

A malicious app on the same Android device could exploit the vulnerability by injecting malicious modules into other apps that rely on the library to steal private information, like passwords and credit card numbers, from inside the app.

Sergey Toshin, founder of Oversecured, told TechCrunch that exploiting the bug was “pretty easy.”

The startup built a proof-of-concept app using a few lines of code and tested the vulnerability on Google Chrome for Android, which relied on a vulnerable version of the Play Core library. Toshin said the proof-of-concept app was able to steal a victim’s browsing history, passwords, and login cookies.

But Toshin said that the bug also affected some of the most popular apps in the Android app store.

Google confirmed the bug, rated 8.8 out of 10.0 for severity, is now fixed. “We appreciate the researcher reporting this issue to us, and as a result it was patched in March,” said a Google spokesperson.

Toshin said app developers should update their apps with the latest Play Core library to remove the threat.

The market for female-focused health products (aka ‘femtech’) is set for growth via segmentation, per an analyst note from PitchBook which identifies opportunities for entrepreneurs to target a growing number of health issues that specifically affect women or affect women in a specific way — broadening out from a traditional focus on reproductive health.

Femtech remains a “significantly underdeveloped” slice of healthtech, according to the analysis, which highlights the disparity between how much women spend annually on medical expenses — estimated at ~$500BN — vs how little healthcare R&D is targeted specifically at women’s health issues (a mere 4%).

Last year the global market for female-focused health products generated $820.6M, per the note, and is estimated to reach at least $3BN by the end of 2030. While it says femtech posted $592.1M in VC investment in 2019, slightly down on 2018’s $620.3M. But so far this year it’s racked up $376.2M in VC across 57 deals — putting it on pace to match 2019’s funding levels.

Areas of growth opportunity PitchBook sees for femtech outside its traditional focus on reproductive health are: Endometriosis, a painful disorder of the womb lining affecting one in 10 women; what it calls “personalized and female-oriented approaches to general health & disease management”, with a specific focus on heart health, pain management, and diabetes and weight management within that; and the life-stage transition of the menopause.

“While we still view femtech as a niche industry, we believe secular drivers could help propel new growth opportunities in the space,” write analysts Kaia Colban and Andrew Akers. “These include the increasing representation of women in the venture-backed technology community, rising awareness and acceptance of women’s health issues, and the growing prevalence of infectious diseases among women in some countries in Africa and Asia.

“Furthermore, while the majority of femtech products have traditionally focused on reproductive health, we believe new approaches to women’s health research will help open the door to new products and services.”

Expansion of the vertical is being driven by universal growth of the personalized medicine industry — which PitchBook notes is expected to reach $3.2TR by 2025, registering a CAGR of 10.6% over the forecast period.

While the massive underrepresentation of women in the venture community goes a long way to explaining the relative lack of attention investors have paid to products addressing women’s health — with the note acknowledging pitching to male investors remains a challenge for femtech startups — it suggests investors have also been cool on the subcategory because of a relatively poor track record of “sizable” exits.

“Only six femtech exits were completed in 2019; however, this still represents a 64% increase in exit value compared to 2018,” it writes. “The largest exits in recent years include Progyny’s $130M IPO and Procter & Gamble’s acquisition of This is L. for $100M. Progyny’s stock has roughly doubled in the eight months since it went public.”

PitchBook says it expects just 14% of VC to go toward female-founded startups this year — further noting that only 17% of startups have at least one female founder. (For femtech startups the figure is considerably higher — yet still only 69% of those PitchBook tracks; NB, this does not include startups building products targeted at women where there isn’t a medical need, such as skincare & beauty etc.)

“However, we believe these barriers may be subsiding as male investors begin to recognize the femtech market opportunity and as the VC world becomes more gender-diverse,” it adds, noting that female-founded companies deliver over twice as much per dollar invested than their male-owned counterparts which it reckons could help to turn more investors’ heads.

Other key industry growth drivers the note points to are a conducive regulatory environment; a rise in preventative medicine & holistic health; and advancements in health technology that have made personalized products more accessible and affordable, such as AI and “cloud-based infomatics”.

On the M&A front, PitchBook notes this is most common for femtech startups in the general health & wellness category. And while most remain single-product companies it says it expects a maturing femtech industry to lead to product diversification — “potentially driven by M&A” — noting recent examples of pregnancy-focused apps tapping into the menopause market, which it says suggests an expanding opportunity for fertility startups.

Looks like another chapter is opening up for Wirecard, the disgraced fintech out of Germany that collapsed into insolvency earlier this year after facing a huge accounting scandal and subsequently failing to make payments on $1.5 billion in loans coming due.

Railsbank, the UK startup backed by Visa and others that offers a range of financial and banking services by way of a set of APIs, has agreed to purchase Wirecard Card Solutions, the UK business that includes card technology and associated assets, including existing client business and some employees.

Terms of the deal are not being disclosed, but a spokesperson for Wirecard said that the deal is expected to be completed in November and represents a significant part of the bigger Wirecard business.

That business, which was publicly traded in Germany, was valued at as much as $19 billion after funding rounds led by the likes of Softbank, and the story of its downfall had been marked out in lots of detail both as it played out and in the months since.

Wirecard Card Solutions is a huge operation in and of itself, with strong links into the wider fintech landscape in Europe. Its services include customised card products as well as debit, prepaid and credit cards, and it’s one of the largest prepaid issuers in Europe that also provides services to Monzo, FairFX, Revolut, Transferwise, Uaccount, Soldo, and Pockit.

Interestingly, Railsbank on paper seems to be a much smaller business. Co-founded by Nigel Verdon and Clive Mitchell, it has raised around $17 million and carries and equally modest valuation, per PitchBook data. (This could imply that the business is being picked up possibly more for shares than cash?)

Of note, Wirecard Acquiring & Issuing GmbH and part of the Wirecard AG group, the parent company in Germany, will continue to hold some shares in Wirecard Card Solutions, the company said.

“In planning the future of the company, one of our key priorities continues to be that our valued customers get the best possible outcome. We believe that our solvent wind-down proposal, including the proposed sale of assets to Railsbank, will achieve that key priority,” said Tom Jennings, MD, Wirecard Card Solutions, in a statement.

“Our hope is that our programme managers will support our proposal and we can move forward in a positive way for all parties. I would like to thank our customers for their ongoing support as well as Mastercard and Visa for their help in making this transition as seamless as possible.”

“We are delighted to have come to this agreement with Wirecard Card Solutions and thank its team for working positively with us during the process,” said Verdon, Railsbank CEO, in a statement. “At the end of the day, customer and team needs are our priority. The Railsbank team will conscientiously work on ensuring customers, programme managers and team members have a seamless transfer to their new home.”

Railsbank’s initial interest in acquiring the distressed assets was first reported last week. In the interim, the startup had emerged as a key benefactor of Wirecard’s downfall: Wirex, a “crypto-friendly” currency account that offers users payment cards that let them pay in local currencies without fees, earlier this week confirmed that it would be switching from Wirecard to Railsbank for card issuing services.

Railsbank said that it already runs some 50 card programs in the UK, EU, US and Singapore and so has the infrastructure in place to take on Wirecard’s business.

No surprise that Railsbank is highlighting this: the migration timing is a critical part of the deal. The development caps off months of speculation around what would happen to Wirecard, which — in addition to its fintech customers and partners — had enterprise customers that included Olympus, Getty Images, Orange and KLM before it hit the rocks.

But given that there are a number of other strong competitors in the same area of enabling business payments, card issuing and related banking and financial services — they include Adyen, FirstData, WorldPay, Stripe, Railscard and more — the big issue was always going to be how quickly the troubled Wirecard business could be acquired and migrated to a potential buyer, before those customers fled.

Undermyfork, a diabetes tracking app designed to help people with the disease improve “time-in-range” and better manage their condition, has raised $400,000 in seed funding.

Investment comes from AltaIR Capital and Runa Capital . Undermyfork co-founder Mike Ushakov’s previous company, Metabar (the maker of the browser add-on Sovetnik), was also backed by Runa, before being acquired by Yandex several years ago.

The Undermyfork app combines meal photos with glucose data coming from a continuous glucose monitor (CGM) device. The aim is to let users correlate meals with changes in blood glucose levels. Specifically, it focuses on “time-in-range” — the percentage of time that a person spends with their blood glucose levels in a target range, considered the most important metric in modern diabetes management.

“With our app, we want to help people with diabetes correct their lifestyle and eating habits, and improve their time-in-range,” Ushakov tells me. “Undermyfork is a very simple tool now: it combines meal photos and insulin data with glucose data, and allows the users to clearly see which meals are driving them out of the safe blood glucose range.

“We help people with diabetes not just to see their blood glucose data, but to interpret the data and make useful conclusions that could improve their life. You can say it’s like ‘Google analytics for blood sugar.’ ”

More broadly, Undermyfork is betting that continuous glucose monitoring devices will replace traditional finger-pricking blood glucose meters in the coming years. The strategy is to establish itself as the default companion app for CGMs, but to do so it will need to gain access to CGM-generated data.

“Undermyfork relies on CGM data, so we need to have the partners to provide us with this data,” explains Ushakov. “This month, simultaneously with closing our round, we partnered with Dexcom, which is the leading CGM manufacturer in the U.S. We now have access to Dexcom’s retrospective API, letting users stream data directly from their Dexcom cloud to the Undermyfork app.”

This also sets up Undermyfork for a U.S. launch. Noteworthy, the mostly Europe-based team is entirely remote. Ushakov is in Amsterdam, co-founder Eugene Molodkin is in St.Petersburg and other team members are in Germany, Netherlands, Russia, Slovenia and Israel.

As you know by now, Disrupt is going completely virtual for its 10th anniversary. TechCrunch’s Asia team (me, Rita Liao and Manish Singh) will miss seeing everyone in Moscone Center, but this will be the most accessible Disrupt ever, and we are excited to bring a full roster of Asia-focused sessions to its agenda for the first time. The sessions, with people from some of Asia’s most influential tech companies, startups and investment firms, will be broadcast during the day in this part of the world, followed by live Q&A sessions. And of course, all Disrupt attendees will get full access to everything TechCrunch’s team has spent months working to bring online: the Disrupt and Extra Crunch stages, virtual networking at CrunchMatch and Digital Startup Alley.

Many of the most important recent startup trends and tech stories have come from Asia, or were driven by Asian companies. The continent is home to several of the world’s most complex and dynamic markets: China, India and Indonesia, to name just some of the biggest ones.

Available at a time that works best for you, catch these sessions Sept 15-18th from 1:00 PM – 2:00 PM HKT. Immediately after each interview, join the speakers for a live Q&A. So come with your questions!

India is Facebook’s biggest market by number of users, and our speakers will include its head of India, Ajit Mohan.

We also have Russell Cohen, regional head of operations at Grab, the ride-hailing company that acquired Uber’s Southeast Asia operations two years ago and is now also one of the region’s largest on-demand delivery platforms.

Byju Raveendran, founder of BYJU’s, India’s most highly-valued edtech startup, will talk about online learning, one of this year’s most important topics.

As another example of how tech innovations in Asia influence other parts of the world, we will speak to Kaisei Hamamoto, co-founder and chief operating officer of SmartNews, which runs versions of its news aggregator app in two very different markets, Japan and the United States.

Our lineup of founders include Sonny Vu, whose last startup, Misfit, was acquired by Apple, and is currently the chief executive officer of continuous carbon-fiber 3D printing company Arevo.

We’ll also talk to Steven Yang of Anker about how he built his company into one of the most popular and well-regarded smartphone charger and power bank brands.

Gillian Tee, founder of Singapore-based caregiving and telehealth startup Homage, will share insights about how tech can serve the world’s most vulnerable people.

On the investment side, we will hear from Edith Yeung, general partner at Race Capital, about emerging technology trends in China and Silicon Valley.

East Ventures, one of the most prolific and influential investment firms in Indonesia, Southeast Asia’s largest market, will be represented by Melisa Irene, the firm’s first female partner.

And Karthik Reddy, co-founder of Blume Ventures, will be on hand to talk about the challenges and opportunities of helping build India’s startup ecosystem.

Each session will be followed by a live Q&A, so attendees will get a chance to ask each speaker questions. Stay tuned for the final schedule. In the meantime, make sure to get your pass to attend these sessions and a whole bunch more! If you move quickly, you can take advantage of savings on your pro pass if you buy before Friday, September 11 at 11:59pm PT.

Elon Musk called an attempted cyberattack against Tesla “serious,” a comment that confirms the company was the target of a foiled ransomware attempt at its massive factory near Reno, Nevada.

The Justice Department released a complaint Thursday that described a thwarted malware attack against an unnamed company in Sparks, Nevada. Tesla has a factory in Sparks that makes battery cells, packs and electric motors; while Tesla was not named in the complaint several blogs, including Electrek and Teslarati, reported that the company was the target.

The Justice Department alleged that Russian national Egor Igorevich Kriuchkov, 27, attempted to recruit and bribe a Tesla employee to introduce malware in the company’s network.

The malware was designed to install ransomware, a kind of malware that encrypts a victim’s files in exchange for a ransom. Prosecutors said the ransomware used an increasingly popular new tactic that not only encrypt a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

An unnamed employee at the Tesla factory, known as the Gigafactory, met with Kriuchkov, who allegedly offered to pay him $1 million to introduce malware into the computer network. The employee informed Tesla, which then notified the Federal Bureau of Investigations. The FBI used the employee in a sting operation.

Kriuchkov was arrested August 22.

Turmoil continues at TikTok, Salesforce lays off 1,000 people and Warby Parker is now valued at $3 billion. This is your Daily Crunch for August 27, 2020.

The big story: TikTok’s CEO resigns

Kevin Mayer, the former Disney executive who joined TikTok as CEO just over 100 days ago, announced yesterday that he’s resigning. While Mayer was likely brought on to reassure U.S. legislators about the app’s Chinese owners, it seems he wasn’t expecting this level of conflict, with President Donald Trump signing an executive order that would ban TikTok in the U.S. unless it’s sold to another company.

“We appreciate that the political dynamics of the last few months have significantly changed what the scope of Kevin’s role would be going forward, and fully respect his decision,” a TikTok spokesperson said in a statement. “We thank him for his time at the company and wish him well.”

As for which company might acquire TikTok, Walmart has confirmed that it’s interested in teaming up with Microsoft to acquire the popular video app.

The tech giants

Salesforce confirms it’s laying off around 1,000 people in spite of monster quarter — Salesforce says it’s “reallocating resources to position the company for continued growth.”

Google Assistant app now uses your searches to make personalized recommendations — Those recommendations could include podcasts, restaurants, recipes and more.

Facebook isn’t happy about Apple’s upcoming ad tracking restrictions — The company says Audience Network revenue could decline by more than 50%.

Startups, funding and venture capital

Warby Parker, valued at $3 billion, raises $245 million in funding — The eyewear startup has launched a telehealth service for New York customers, allowing them to extend an existing glasses or contacts prescription.

Instacart faces lawsuit from DC attorney general over ‘deceptive’ service fees — The suit alleges that Instacart misled customers into thinking the 10% service fee was a tip for the delivery person.

Narrative raises $8.5 million as it launches a new data marketplace — The goal is to make buying data as easy as buying something on Amazon.

Advice and analysis from Extra Crunch

Alexa von Tobel: Eliminating risk is the key to building a startup during an economic downturn — Von Tobel says that one of the most important exercises in forming LearnVest was writing out a business plan.

To reach scale, Juni Learning is building a full-stack edtech experience — The startup’s path to $10 million in annual recurring revenue is inspired by Peloton, not Kumon.

What can growth marketers learn from lean product development? — Andrea Fryrear argues that marketers should begin creating minimum viable campaigns.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

A faster, easier, cheaper way of going public — The latest episode of Equity discusses direct listings and SPACs.

Here’s how you can get a second shot at Startup Battlefield — Your second chance comes in the form of two Wild Card entries for the upcoming Battlefield at Disrupt.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Frankly, the most surprising thing about the PuriCare is that more tech companies haven’t launched a similar product in recent months. LG is showing it off as part of the upcoming IFA press conference in Berlin — though the company is opting for a virtual presence at this year’s show.

There’s a lot going on in the press release for the “wearable air purifier.” As it notes, “LG PuriCare Wearable Air Purifier resolves the dilemma of homemade masks being of inconsistent quality and disposal masks being in short supply. The PuriCare Wearable Air Purifier employs two H13 HEPA filters, similar to the filters used in the company’s home air purifier products.”

The company seemingly goes out of its way not to mention COVID-19. After all, specific health claims are often subject to different regulations. It’s true, of course, that masks have, at various points, been in short supply during the pandemic. And likely that was the case when LG really started pushing the idea in earnest.

That said, it’s also worth noting that even professionally made masks offer a pretty wide range of efficacy against the virus’s transmission. There are plenty of questions here. For starters, the filter and the question of how effective it might potentially be for both the wearer and the people around them. The latter, after all, is the real argument for wearing masks — to protect the people around.

LG’s response to the COVID-19 question defers to potential future approval; “We’re waiting until further testing is complete before we’re able to share full details.” Hopefully we’ll get some more concrete answers before it goes on sale in “the fourth quarter in select markets.” Though there are certainly non-coronavirus-related reasons to wear a mask, including pollution and other environmental contaminants.

Also worth asking is what happens when the battery runs down. The mask is capable of running eight hours on “low” and two hours on “high,” courtesy of an on-board 820mAh battery, according to figures from LG. But stuff happens. Sometimes you’re out longer than expected, or maybe you just forgot to charge it in full before leaving the house.

There are two H13 HEPA filters on-board, similar in nature to the kind the company uses for its in-home air filtration system. There are also UV-LED lights designed to kill bacteria — an added level of protection beyond the filtration system. In addition to the aforementioned home filtration systems, LG also manufacturers UV light wands for disinfecting purposes. The company has been working on a lot of this stuff already and clearly saw an opportunity to capitalize on it in mask form.

There’s a fair bit of on-board technology, including the ability to regulate the speed of the filtration based on the wearer’s breath. Overkill? Almost certainly. From the looks of the images, it’s also potentially cumbersome. And then there’s the matter of the still unknown price.

Shared electric moped startup Revel has resumed operations in New York City a month after shutting down its service following several deaths. The startup’s blue mopeds that had become a familiar sight in New York City are back, but with a number of new protocols and features aimed at boosting safety and assuaging city officials.

Revel voluntarily shut down its service in New York City on July 28. Revel restarted its 3,000-strong fleet of mopeds in four boroughs, Brooklyn, the Bronx, Manhattan and Queens after the city of New York approved its relaunch plan. Revel, which was founded in March 2018 by Frank Reig and Paul Suhey, is leaning heavily on its app to improve safety, including training videos and tests, a helmet selfie feature that require photographic evidence that user is wearing a helmet and a community reporting tool.

Revel said it partnered with behavioral science experts at The Behavioral Insights Team to develop a new mandatory in-app safety training designed to improve users’ knowledge of safety measures and compliance with those practices. The company will now require all Revel users, including long-time users of the service, to take a 21-question safety training quiz and watch an instructional video before they can start their first ride. The training covers rules of the road, proper pre-ride protocol as well as prohibited activities and consequences of violating the rules.

Revel is expanding this training feature to other markets where it operates, including Austin, Oakland and Washington DC. Users in these markets outside of NYC will have until September 1 to complete the training. Riders in Miami will also have to take the training once COVID-19 related shut downs are lifted and the service resumes.

The company, which raised $27.6 million in a Series A round announced last fall, has added a helmet selfie feature which riders will have to use before beginning their rental. If a passenger is indicated, they will also be required to take a selfie. The helmet case unlocks when the user selects “start ride,” but the power to the moped won’t come on until the selfie has been submitted.

Revel is also rolling out a feature that any New Yorker can use, with or without a company account. Starting Thursday, Revel said anyone can open the Revel app and report bad behavior of riders in the city. Revel said it also has limited hours of operations for the 60 days and will shut down between midnight and 5 a.m. and has beefed up its suspension policies and added more free lessons, which anyone with an account can book through the app or website.

Shared electric moped startup Revel has resumed operations in New York City a month after shutting down its service following several deaths. The startup’s blue mopeds that had become a familiar sight in New York City are back, but with a number of new protocols and features aimed at boosting safety and assuaging city officials.

Revel voluntarily shut down its service in New York City on July 28. Revel restarted its 3,000-strong fleet of mopeds in four boroughs, Brooklyn, the Bronx, Manhattan and Queens after the city of New York approved its relaunch plan. Revel, which was founded in March 2018 by Frank Reig and Paul Suhey, is leaning heavily on its app to improve safety, including training videos and tests, a helmet selfie feature that require photographic evidence that user is wearing a helmet and a community reporting tool.

Revel said it partnered with behavioral science experts at The Behavioral Insights Team to develop a new mandatory in-app safety training designed to improve users’ knowledge of safety measures and compliance with those practices. The company will now require all Revel users, including long-time users of the service, to take a 21-question safety training quiz and watch an instructional video before they can start their first ride. The training covers rules of the road, proper pre-ride protocol as well as prohibited activities and consequences of violating the rules.

Revel is expanding this training feature to other markets where it operates, including Austin, Oakland and Washington DC. Users in these markets outside of NYC will have until September 1 to complete the training. Riders in Miami will also have to take the training once COVID-19 related shut downs are lifted and the service resumes.

The company, which raised $27.6 million in a Series A round announced last fall, has added a helmet selfie feature which riders will have to use before beginning their rental. If a passenger is indicated, they will also be required to take a selfie. The helmet case unlocks when the user selects “start ride,” but the power to the moped won’t come on until the selfie has been submitted.

Revel is also rolling out a feature that any New Yorker can use, with or without a company account. Starting Thursday, Revel said anyone can open the Revel app and report bad behavior of riders in the city. Revel said it also has limited hours of operations for the 60 days and will shut down between midnight and 5 a.m. and has beefed up its suspension policies and added more free lessons, which anyone with an account can book through the app or website.