h4ck3r _ N3w5

On one hand where more than half of the Internet is considering the Bash vulnerability to be severe, Apple says the vast majority of Mac computer users are not at risk from the recently discovered vulnerability in the Bash command-line interpreter – aka the “Shellshock” bug that could allow hackers to take over an operating system completely.
Apple has issued a public statement in response to this issue, assuring its OS X users that most of them are safe from any potential attacks through the ShellShock Vulnerability, which security experts have warned affect operating systems, including Mac’s OS X.

“The vast majority of OS X users are not at risk to recently reported bash vulnerabilities,” Apple said. “Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.“

According to Apple, in OS X majority of users are considered to be safe so long as they haven’t configured any advanced access. Soon the company will also issue an OS X update to fix the potential hole, till then the OS X users are advised to make sure that they don’t enable any advanced UNIX options before the patch releases.

The critical vulnerability in the widely used Linux and Unix command-line shell, known as Bash or the GNU Bourne Again Shell, affects versions 1.14 through 4.3 of GNU Bash and is based on how Bash handles environment variables. By creating a function as part of the variable, it’s possible to execute commands when the variable is evaluated.

The exploit reportedly affects most Linux- and Unix-based operating systems around the world, including OS X.

Researchers on Thursday also discovered that the ShellShock vulnerability has been exploited by the cyber criminals in the wild to take over Web servers as part of a botnet attack that is currently trying to infect other servers as well.
The Bash glitch has been described as more worse than the Heartbleed security flaw, discovered in April, that left all the information stored on data servers potentially vulnerable to hackers. Over 300,000 servers were still vulnerable to the most critical OpenSSL bug two months after the bug was first identified.
Users are advised to do not panic and avoid using advance services that can be exploited by the ShellShock vulnerability for quite sometime before the official patch for the issue is not released.
Till then, you may patch yourself using an unofficial patch that fixes the problem and claimed to completely addresses both vulnerabilities. In an email to the Open Source Software Security (oss-sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch, but there is as of yet no official fix for the issue.

via The Hacker News http://ift.tt/1vdJNas

Researchers on Thursday discovered a critical remotely exploitable vulnerability in the widely used command-line shell GNU Bourne Again Shell (Bash), dubbed “Shellshock” which affects most of the Linux distributions and servers worldwide, and may already have been exploited in the wild to take over Web servers as part of a botnet that is currently trying to infect other servers as well.

BOTNET ATTACK IN THE WILD

The bot was discovered by the security researcher with the Twitter handle @yinettesys, who reported it on Github and said it appeared to be remotely controlled by miscreants, which indicates that the vulnerability is already being used maliciously by the hackers.

The vulnerability (CVE-2014-6271), which came to light on Wednesday, affects versions 1.14 through 4.3 of GNU Bash and could become a dangerous threat to Linux/Unix and Apple users if the patches to BASH are not applied to the operating systems.

However, the patches for the vulnerability were released but there was some concern that the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. There is as of yet no official patch that completely addresses both vulnerabilities, including the second, which allows an attacker to overwrite files on the targeted system.

SHELLSHOCK vs THE INTERNET

Robert Graham of Errata Security observed that the major internet scan is already being used by the cyber criminals in order to locate vulnerable servers for cyber attack. During a scan, Graham found about 3,000 servers that were vulnerable “just on port 80” — the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests.

The Internet scan broke after a short while, which means that there could be a wide numbers of other servers vulnerable to the attack.

“It’s things like CGI scripts that are vulnerable, deep within a website (like CPanel’s /cgi-sys/defaultwebpage.cgi),” Graham wrote in a blog post. “Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x.”

In addition, Graham said, “this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be ‘game over’ for large networks.“

32 ORACLE PRODUCTS VULNERABLE
Oracle has also confirmed that over 32 of its products are affected by the “Shellshock” vulnerability including some expensive integrated hardware systems of the company. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.

“Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability,” the company said.

PATCH ISSUED, BUT INCOMPLETE
Patches were released from most of the Linux distributions, but Red Hat has updated an advisory warning that the patch is incomplete, the same issue that was also raised by infosec community on Twitter.

“Red Hat has become aware that the patches shipped for this issue are incomplete,” said Red Hat security engineer Huzaifa Sidhpurwala. “An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions The new issue has been assigned CVE-2014-7169.“

Although people are urged to apply the released patch to thwart most attacks on the affected systems, another patch is expected to release as soon as possible.

via The Hacker News http://ift.tt/1BkbxKp

Users might have praised the technology companies for efforts to encrypt their latest devices that would prevent law enforcement agencies’ hands on users’ private data, but the FBI is not at all happy with Apple and Google right now.

The Federal Bureau of Investigation director, James Comey, said Thursday he was “very concerned” over Apple and Google using stronger or full encryption in their Smartphones and Tablets that makes it impossible for law enforcement to collar criminals.

According to Comey, the Silicon Valley tech giants are “marketing something expressly to allow people to place themselves above the law.”

“There will come a day – well it comes every day in this business – when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper’s or a terrorist or a criminal’s device,” Comey told reporters.

“I just want to make sure we have a good conversation in this country before that day comes. I’d hate to have people look at me and say, ‘Well how come you can’t save this kid,’ ‘How come you can’t do this thing.’“

The move is in the response to the revelations of mass surveillance conducted by the US National Security Agency (NSA), revealed by former contractor Edward Snowden, that triggered a large-scale movement worldwide towards deploying encryption across all the Digital Services.
The FBI remarks come following both privacy changes introduced by Apple as well as Google. Just last week, Google announced it would be providing data encryption by default with its next version of Android i.e. Android L.

While Apple with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password. Also last week, the company introduced enhanced encryption for iOS 8 devices under which it will no longer store the encryption keys for devices in iOS 8, making it impossible for the company to decrypt a locked device, even on law enforcement request.

“Unlike our competitors, Apple cannot bypass your pass code and therefore cannot access this data,” Apple said in its new privacy policy, updated on Wednesday. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.“

Google’s announcement for by default encryption comes a day after Apple revealed that it is expanding its two-factor authentication process to include the iCloud storage system, which was recently targeted by hackers to extract over 100 nude celebrities photos.

Comey said he agreed-upon the privacy concerns in the wake of NSA leaker Edward Snowden’s revelations about massive US government surveillance. But he also noted that the FBI sometimes has an urgent need to access users’ data, such as in cases of terrorism or kidnappings.

“I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law,” Comey moaned. “What concerns me about this is companies marketing something expressly to allow people to place themselves above the law.“

Despite criticism from the FBI, it’s improbable that Apple or Google is going to step back from their efforts, because the technology companies again will not compromise with their reputation in the market where many are criticised in past to put backdoors in their products for law enforcement agencies.

via The Hacker News http://ift.tt/1n9xyKY

A Critical remotely exploitable vulnerability has been discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, leaving countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.
Earlier today, Stephane Chazelas publicly disclosed the technical details of the remote code execution vulnerability in Bash which affects most of the Linux distributions and servers worldwide.

REMOTELY EXPLOITABLE SHELLSHOCK

The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.

According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. “In many common configurations, this vulnerability is exploitable over the network,” Stephane said.

This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.

BASH BUG AFFECTS MILLIONS OF SYSTEMS

While bash is not directly used by remote users, but it is a common shell for evaluating and executing commands from other programs, such as web server or the mail server. So if an application calls the Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked.

In Simple words, If Bash has been configured as the default system shell, an attacker could launch malicious code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has been posted on the Internet.

Similar attacks are possible via OpenSSH, “We have also verified that this vulnerability is exposed in ssh—but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.” Stephane warned. But if an attacker does not have an SSH account this exploit would not work.

This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the majority of the servers but also large number of embedded devices, including Mac OS X laptops and Android devices are also running the vulnerable version of bash Software. NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity.

HOW TO CHECK FOR VULNERABLE SHELL

To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:

• env X=”() { :;} ; echo shellshock” /bin/sh -c “echo completed”
• env X=”() { :;} ; echo shellshock” `which bash` -c “echo completed”

If you see the words “shellshock” in the output, errrrr… then you are at risk.

BASH BUG PATCH

You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability. Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:

• Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
• CentOS (versions 5 through 7)
• Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
• Debian

If your system is vulnerable to bash bug, then you are highly recommended to upgrade your bash software package as soon as possible.

via The Hacker News http://ift.tt/1qx54W0

The official website of the popular cross-platform JavaScript library jQuery (jquery.com) has been compromised and redirecting its visitors to a third-party website hosting the RIG exploit kit, in order to distribute information-stealing malware.

JQuery is a free and open source JavaScript library designed to simplify the client-side scripting of HTML. It is used to build AJAX applications and other dynamic content easily. The popular JavaScript library is used by 30 percent of websites, including 70 percent of the top 10,000 most visited websites.

James Pleger, Director of Research at Risk management software company RiskIQ, reported yesterday that the attack against jQuery.com web servers launched for a short period of time on the afternoon of September 18th.

So, the users who visited the website on September 18th may have infected their system with data-stealing malware by redirecting users to the website hosting RIG. Pleger urged those who visited the site during the alleged attack to re-image their systems, reset passwords for user accounts that have been used on the systems, and also look for any suspicious activity if originated from the offending system or not.

“However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users [who are] generally IT systems administrators and web developers, including a large contingent who work within enterprises,” Pleger wrote.

Cyber criminals discovered a loophole in the jQuery website’s web properties, backend systems, or other critical infrastructure and injected malicious JavaScript that redirects victims.

The RIG exploit kit is often used to deliver banking Trojans and other information-stealing malware. The researcher said he detected malware on compromised machines that steals credentials and other data.

“Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.“

RiskIQ researchers have immediately notified the jQuery Foundation about the issue. But in response, jQuery Foundation said that their internal investigation into the servers and logs didn’t find the RIG exploit kit or evidence that there was a compromise.
The Rig Exploit Kit was first spotted in April this year, which checks for an un-patched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors. It was also used to distribute Cryptowall Ransomware back in June.

UPDATE

In an official blog post, Ralph Whitbeck from jQuery.com commented about RiskIQ findings:

“Our internal investigation into our servers and logs have not yet found the RIG exploit kit or evidence that there was in fact a compromise.“

But Yes, “Currently the only potential system compromised is the web software or server that runs jquery.com.” and “At no time have the hosted jQuery libraries been compromised.“

“Even though we don’t have immediate evidence of compromise, we have taken the proper precautions to ensure our servers are secure and clean.” he added.

via The Hacker News http://ift.tt/1xgtZpq

The Pirate Bay is the world’s largest torrent tracker site which handles requests from millions of users everyday and is in the top 100 most visited websites on the Internet. Generally, The Pirate Bay is famous for potentially hosting illegal contents on its website.

Despite years of persecution, it continues to disobey copyright laws worldwide. Even both the founders of The Pirate Bay (TPB) file exchange service were arrested by the authorities and are in prison, but their notorious pirated content exchange continues to receive millions of unique visitors daily. That’s really Strange!! But how??

Recently, The Pirate Bay team has revealed how cloud technology made its service’s virtual servers truly secure to avoid police raids and detection.

While it doesn’t own any physical servers, The Pirate Bay is working on “virtual machines” through a few commercial cloud hosting services, even without knowing that whom they are dealing with.

According to TorrentFreak report, at present The Pirate Bay has 21 virtual machines (VMs) that are hosted around the globe at different cloud provider.

The cloud technology eliminate the use of any crucial pieces of hardware, thus saved cost, guaranteed better uptime, and made the site more portable, and therefore made the torrent harder to take down.

The Pirate Bay operates using 182 GB of RAM and 94 GPU cores, with total storage capacity of 620 GB, which actually are not used in full.

Out of 21 VMs, eight of the VMs are used to serve web pages, six are dedicated to handling searches, while two VMs currently runs the site’s database and the remaining five virtual machines are used for load balancing, statistics, the proxy site on port 80, torrent storage and for the controller.

Interestingly, the commercial cloud hosting providers have no ideas that The Pirate Bay is using their services, because all traffic goes through the load balancer, which masks the activities of other virtual machines from the cloud providers. This clearly means that none of the IP-addresses of the cloud hosting providers are publicly linked to The Pirate Bay, so that should keep them safe.

While, in case of closure of some of these cloud servers by the police, it is always possible to move VMs to another location in a relatively short duration of time. Just like when back in 2006 in Sweden, police raided The Pirate Bay’s hosting company, seizing everything from blank CDs to fax machines and servers, taking down the site. But, it took just three days to return in its normal state.

via The Hacker News http://ift.tt/Y1cTwV

A new surge of malware has been discovered which goes on to infect hundreds of thousands of computers worldwide and allegedly steals users’ social and banking site credentials.
Few days back, a list of 5 million combinations of Gmail addresses and passwords were leaked online. The search engine giant, Google said that Gmail credentials didn’t come from the security breaches of its system, rather the credentials had been stolen by phishing campaigns and unauthorized access to user accounts.

Just now, we come across another similar incident where cyber criminals are using a malware which has already compromised thousands of Windows users worldwide in an effort to steal their Social Media account, Online account and Banking account Credentials.

A Greek Security Researcher recently discovered a malware sample via a spam campaign (caught in a corporate honeypot), targeting large number of computers users rapidly. He investigated and posted a detailed technical analyses of the malware on his blog.

After reverse engineer the malware sample file, he found that the cybercriminals are using a combination of software AutoIT (Automate day-to-day tasks on computers) and a “commercial” Keylogger named “Limitless Keylogger” to make it FUD i.e. Fully Undetectable from static analysis.

Keylogger is a critical type of software program for cyber criminals, which records every input typed into the keyboard and easily detects passwords for users’ Email accounts, Social Media accounts and Online Bank accounts.

This malicious application captures every keystrokes users press and send them to a specified email address linked to the cyber criminal. More interestingly, the malware uses AutoIT in order to evade detection by Antivirus programs.

The malware distributed in the spam campaign comes as a WinRAR SFX executable file with a custom icon which drops 4 malicious files onto the victim’s computers with hidden and system attributes.

The Malware archive includes:

• AutoIT script ‘update.exe’ of 331MB
• Python script to “deobfuscate” AutoIT script
• oziryzkvvcpm.AWX – Settings for AutoIT script
• sgym.VQA – Another Encrypted malware/Payload Binary

Initially the obfuscated AutoIT Script is of size 331MB, because it contains lots of garbage content, but after deobfuscate process it becomes only 55kbyte in size with clean malicious code.

Researcher found lot of functions and various functionalities in the malware code those allow the malicious software to protect itself from detection.

On Further reserve engineering, he found that the malware sends the collected keystroke data to the cybercriminal via SMTP email server. So he sniffed the whole conversation of malware SMTP traffic and discovered that the keylogger was sending all keystrokes of the user, screenshots, recovery data (saved passwords from several applications/browsers) to an email ID – “ontherun4sales@yandex.ru”.

He also extracted the hardcoded SMTP email ID username and passwords of the respective Yandex mail address from the malware source code.

Researcher told SecNews, “The detection was accomplished in the past few days and found that the malware was being Greek is targeting users (minimum numerical cases).”
“Possibly some Indonesian hackers might have used the malicious software available on the Russian hacking forum sites” they said.

At last, the researcher also disclosed some online FTP servers using Google hacks, where the data has been uploaded by the different variants of the Limitless Logger by various hacking groups.

via The Hacker News http://ift.tt/1rkB84B

The search engine giant Google will soon come up with its next version of Android operating system, dubbed as Android L, with full-disk encryption enabled by default, Google confirmed Thursday.

This will be for the first time that Google’s Android OS will be encrypting your information, preventing both hackers and law enforcement agencies from gaining access to users’ personal and highly sensitive data on their devices running the Android operating system.

While Android has been offering data encryption options for some Android devices since 2011. However the options are not enabled by default, so users have had to activate the functionality manually. But Android L will have new activation procedures that will encrypt data automatically.

Although Google is yet to provide more details about Android L, which is set to be released next month. But the move by the web giant will surely provide an extra layer of security on the personal data that users typically have on their Android Smartphones.

“For over three years Android has offered encryption, and keys are not stored off of the device, so they cannot be shared with law enforcement,” a spokeswoman for the company Niki Christoff has told The Washington Post. “As part of our next Android release, encryption will be enabled by default out of the box, so you won’t even have to think about turning it on.”

Google’s announcement for by default encryption comes a day after Apple revealed that it is expanding its two-factor authentication process to include the iCloud storage system, which was recently targeted by hackers to extract over 100 nude celebrities photos.
Meanwhile, Apple also announced that the latest version of its mobile operating system iOS 8 are protected by new automatic encryption methods that prevent even Apple from accessing its users’ personal and sensitive information.

“Unlike our competitors, Apple cannot bypass your pass code and therefore cannot access this data,” Apple said in its new privacy policy, updated on Wednesday. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.“

Android is the most popular operating system for Smartphones in the world. So, by making the platform more secure, billions of Android users personal data can be protected from hackers as well as law enforcement agencies.

Technology titans are considering encryption a top priority in the wake of revelations by former National Security Agency contractor Edward Snowden that the NSA conducted mass collection of users’ phone and email communications. Till this new release of Android L operating system, if you want to set up encryption on your Android phone today, Google has instructions here.

via The Hacker News http://ift.tt/1B1Dc2o

Four month ago, a massive data breach on the eBay website affected 145 million registered users worldwide after its database was compromised. Meanwhile, another critical vulnerability on the eBay website was reported, allowing an attacker to hijack millions of user accounts in bulk.
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirmed – IT WORKS.

Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it. So, Here we go!

The vulnerability Yasser found could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.

BUT HOW TO HACK ANY eBAY ACCOUNT?

Basically to recover the forgotten password, user is first redirected to a password reset page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.

After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.

Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

HERE THE VULNERABILITY RESIDES

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown:

As Proof-of-Concept, the researcher targeted one of our team members’ temporary account with email address info@thehackernews.com. First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element.

Then he directly crafted a new HTTP request to the eBay server at password reset form action with the known “reqinput” value, new password, confirm password and password strength parameters.

BANG!! He successfully able to reset our eBay account password without our team member’s interaction within a while.

LARGE SCALE AUTOMATED ATTACK

A sophisticated hacker could had launched an automated mass password reset request attack for all those email accounts which were leaked in previously reported massive eBay data breach.

The company has already patched the vulnerability after Yasser responsibly disclosed the flaw to the eBay security team. But, this 4 months delay in delivering the patch could have compromised millions of eBay users’ accounts in a targeted attack, even if you had changed your password after the data breach.

via The Hacker News http://ift.tt/XM3h8O

From last week, Google began paving the way to run Android apps on Chrome Operating System through the project named “App Runtime for Chrome“, but the release came with a lot of limitations – it only supported certain Android apps and on Chrome OS only. At the launch, initially only 4 Android apps – Vine, Evernote, Duolingo and Sight Words – were added to the Chrome Web Store.

That was pretty exciting, but it merely whet the appetite of users hungry for more functionality. So, what if you could run more than just 4 Android apps on Chrome OS? And Also could run them on other operating systems as well?

A developer by the name of “Vlad Filippov” began working on it to stripped away the limits Google has imposed. He successfully figured out a way to bring more Android apps to Chrome, instead of just the four that are officially supported by Google.

The bigger success was that when Filippov got Android apps to work on any desktop Operating System that Chrome runs on. This means that now you are able to run Android apps on Windows, Mac, and Linux as well.

The process uses App Runtime for Chrome (ARC) – a Google project that allows Chrome to run native code safely within a web browser. Since ARC was only officially released as an extension on Chrome Operating System, but Native Client extensions are meant to be used on different platform.
So, in an efforts to do so, Filippov made a custom version of ARC, called ARChon, which supports both desktop Chrome and Chrome OS. However, there is one potential roadblock with the ARChon that it doesn’t run Android app packages (APKs), which instead need to be converted into a Chrome extension. Now, that’s simply made possible by the use of “chromeos-apk“, another Filippov’s tool, which as a result allows operating systems to support an unlimited number of Android APKs.

HOW TO USE DIFFERENT ANDROID APPS IN YOUR CHROME OS

• The Developer has posted the code and instruction on github. In short you need to do is:
• Install Android app from the Chrome Web Store so your Chromebook will install the Android app runtime.
• Install Node.js and Filippov’s chromeos-apk tool on a Linux system (it’ll work on a Chromebook running Ubuntu in Crouton, so you don’t necessarily need a separate computer).
• Download an Android APK and then use the chromeos-apk tool to prepare the app to run on Chrome OS.
• Copy the converted app to your Chromebook, type “chrome://extensions” (without quotes” in the URL bar, enable Developer mode, and then use the “Load unpacked extension” option to locate and install the app.

That’s all !! Not every Android app will work. Some apps that have been confirmed to work include Pandora, Twitter, Soundcloud, and Skype — although you have to do a little extra work to make Skype work. Some other apps such as XBMC, WhatsApp, Firefox, Opera, and Spotify do not work yet. You can even keep track of which APKs have been tested in the Chrome-apk subreddit.

via The Hacker News http://ift.tt/1uvPG01