Summary5 min read

Cybersecurity Headlines: Android API Exposure, Acrobat Reader Zero-Day & Bitcoin Depot Cyberattack

Date: April 10, 2026
Host: Steve Prentiss, CISO Series
Episode Theme:
This episode presents urgent and impactful cybersecurity stories, covering API security lapses in Android apps, an active zero-day in Adobe Reader, a significant cryptocurrency theft, governmental responses to ransomware, and emerging malware threats to cloud infrastructure.

Key Discussion Points & Insights

1. Android API Keys Expose Gemini AI Endpoints

Summary:
- Truffle Security researchers discovered that thousands of Google API keys found in public repositories and Android apps can now authenticate to Gemini, Google's AI assistant, unintentionally exposing personal user data.
- Over 35,000 unique keys were discovered by Quokka across 250,000 apps; Cloudsec identified 32 API keys in 22 popular apps with unauthorized Gemini access.
Risks:
- Data exposure: An attacker could access uploaded files, cached data, or misuse LLM resources, leading to privacy breaches and financial impacts.
- Attribution: "This could allow an attacker to access uploaded files, cached data and to charge LLM usage to your account." – Steve Prentiss [00:32]
Notable Moment:
- Scale emphasized with, "over 35,000 unique keys across 250,000 Android applications." [01:10]

2. Active Acrobat Reader Zero-Day Exploited Since December

Summary:
- Bleeping Computer and security researcher Haipei Li announced that a sophisticated zero-day in Adobe Acrobat Reader has been exploited for at least four months.
- Attackers use a fingerprinting-style PDF exploit to target privileged APIs, steal data, and deploy further exploits.
- Li's list of related zero-day attacks is available in show notes.
Risks:
- Ongoing compromise of Adobe users.
- Highly targeted and technically advanced attacks.
Quote:
- "Attackers are using what he described as a highly sophisticated fingerprinting style PDF exploit to target an undisclosed Adobe Reader security flaw." – Steve Prentiss [01:44]

3. Bitcoin Depot Experiences Major Cyberattack

Summary:
- The largest cryptocurrency ATM company in the U.S. suffered a breach on March 23, 2026, where attackers accessed wallets holding company settlement assets via compromised credentials.
- Stolen funds: 51 bitcoin (~$3.665 million).
- Corporate environment only; customer platforms not impacted, according to Bitcoin Depot.
Risks:
- Direct financial theft from organizations through compromised corporate systems.
- Reputational risk.
Notable Moment:
- "Leading to the theft of almost 51 bitcoin from company controlled wallets." [03:01]

4. Sensitive LAPD Files Exposed Due to City Attorney Breach

Summary:
- Hackers accessed a city attorney’s digital storage system, leaking sensitive LAPD documents from previous civil litigation.
- Breach occurred through a third-party tool, not via direct access to LAPD networks.
- Civil case discovery files were compromised.
Risks:
- Exposure of sensitive law enforcement data.
- Third-party risk in legal processes.
Quote:
- "Hackers accessed a third-party tool used by the City Attorney's office to transfer discovery to opposing counsel and litigants." [04:14]

5. Minnesota National Guard Called In After Ransomware Attack

Summary:
- Governor Tim Walz activated the National Guard following a ransomware attack that disrupted emergency and critical services in Winona County.
- The incident exceeded local response capabilities, necessitating specialized cyber and recovery support.
- The link to a previous attack (January) remains unconfirmed.
Risks:
- Disruption of vital public services.
- The increasing sophistication and persistence of attackers in targeting municipalities.
Quote:
- "The scale and complexity of this incident has exceeded both internal and commercial response capabilities." – Gov. Tim Walz [05:00]

6. Intent Redirection Vulnerability Affects Android Crypto Wallets

Summary:
- Microsoft warns of a severe vulnerability in the Engage SDK, widely used in third-party Android apps (notably crypto wallets).
- Exploited vulnerability enables apps to bypass Android’s security sandbox, accessing private user data and credentials.
- Over 30 million installations of affected apps, mainly in the crypto sector.
Risks:
- Unauthorized access to PII and user funds.
- Widespread exposure due to SDK reuse.
Quote:
- "With over 30 million installations of third party crypto wallet applications alone, PII user credentials and financial data were exposed to risk, the company said." [06:09]

7. New Chaos Malware Variant Makes Move Into Cloud Attacks

Summary:
- Darktrace researchers identified a new Chaos malware variant targeting misconfigured cloud environments, expanding from its prior router/edge device focus.
- The malware is cross-platform, hitting both Windows and Linux, and believed to evolve from the DDoS malware "KG Kai."
- Notable trend: cybercriminal botnets are bundling in proxy services as core features, moving beyond traditional DDoS threats.
Risks:
- Organizations face threats beyond denial-of-service, including proxy abuse, lateral movement, and data exfiltration.
Quote:
- "Denial of service is no longer the only risk that these botnets pose to organizations and their security teams." [07:05]

Notable Quotes & Memorable Moments

On the scale of Android API exposure:
"Researchers…finding nearly 3,000 Google API keys that now also authenticate to Gemini even though they were never intended for it." – Steve Prentiss [00:30]
On National Guard intervention:
"A specialized cybersecurity and recovery team from the Minnesota National Guard is now in the county supporting the investigation and restoration efforts." [05:14]

Key Timestamps by Topic

| Topic | Timestamp | |---------------------------------------------------|------------| | Android API keys & Gemini exposure | 00:19–01:28| | Acrobat Reader zero-day flaw | 01:30–02:19| | Bitcoin Depot cyberattack | 02:24–03:19| | LAPD files exposed in City Attorney breach | 04:10–04:54| | Minnesota National Guard & ransomware response | 04:57–05:37| | Android Engage SDK intent redirection vulnerability| 05:39–06:19| | Chaos malware hitting cloud deployments | 06:22–07:12|

Closing Notes

Theme reinforcement: Each story underlines the paramount importance of security hygiene—API key management, vigilant patching, third-party risk oversight, and robust response planning.
Takeaway: The rapidly evolving threat landscape highlights why cross-sector vigilance and proactive security are essential for organizations and public entities alike.

For more detailed information on each headline, visit cisoseries.com.

Loading summary

Transcript4 lines

[00:00]
A
April is Trust Month at the CISO series. Join us later today for our Super Cyber Friday livestream about hacking vendor trust. More details at the end of this
[00:12]
B
episode from the CISO series. It's Cybersecurity Headlines
[00:19]
A
These are the cybersecurity headlines for Friday, April 10, 2026. Steve I'm Steve Prentiss. Google API keys in Android apps expose Gemini endpoints Researchers from Truffle Security are warning that API keys for public services such as Google Maps can be used to authenticate to the Gemini AI assistant, potentially exposing personal data. This announcement was based on the researchers scanning millions of websites and finding nearly 3,000 Google API keys that now also authenticate to Gemini even though they were never intended for it. It this could allow an attacker to access uploaded files, cached data and to charge LLM usage to your account, they said. Additional research from mobile security firm Quokka led to the discovery of over 35,000 unique keys across 250,000 Android applications. Also, Cloudsec says it discovered 32 Google API keys hard coded in 22 popular Android apps that provide unauthorized access to Gemini AI. Acrobat Reader Zero day flaw exploited since December, according to Bleeping Computer. The attacks were discovered by security researcher Haipei Li, the founder of the sandbox based exploit detection platform Expmon, who warned on Tuesday that the attackers are using what he described as a highly sophisticated fingerprinting style PDF exploit to target an undisclosed Adobe Reader security flaw. Lee added that Adobe users have been targeted for at least four months, with data being stolen from compromised Systems using privileged APIs and deploying additional exploits. A link to Li's long list of security vulnerabilities in Microsoft, Google and Adobe software, many of which have been exploited in zero day attacks, is available in the show. Notes to this episode, Microsoft developer chief Julia Lewison departs. Lewsin will resign as president of Microsoft's developer division at the end of June, though she will continue in an advisory role. She has been part of Microsoft's Core AI division, introduced by CEO Satya Nadella in January 2025. She also assumed responsibility for GitHub in August 2025, at which time GitHub became part of Core AI. Liu Sin, who started at Microsoft after graduating in 1992, is credited with leading the effort to make the open source and cross platform Cryptocurrency ATM company Bitcoin Depot reports cyberattack this March 23 attack resulted in a threat actor gaining control of credentials associated with the company's digital asset settlement accounts, leading to the theft of almost 51 bitcoin from company controlled wallets. This had a value of about $3.665 million as of the date of the report. Bitcoin Depot believes that the incident was contained to the company's corporate environment and did not affect the company's customer platforms, divisions, system, data or environments. Bitcoin Depot is the largest cryptocurrency ATM company in the U.S. huge thanks to our sponsor Vanta. Risk and regulation ramping up and customers expect proof of security just to do business. Vanta's automation brings compliance, risk and customer Trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO that is V A N T A.com CISO breach exposes sensitive LAPD files stored in city attorney system the Los Angeles Police Department made an announcement on Tuesday stating that hackers had gained access to a Los Angeles City Attorney's office digital storage system containing sensitive police documents. These documents had been turned over in discovery from previously resolved or settled LAPD civil litigation cases. The hackers did not breach any LAPD systems or networks, according to the press release. The statement said the hackers accessed a third party tool used by the City Attorney's office to transfer discovery to opposing counsel and litigants. Minnesota governor calls in National Guard after cyber attack this follows a ransomware attack on Winona county on Monday which disrupted vital, emergency and critical services. Minnesota governor Tim Waltz issued an executive order on Tuesday saying, unfortunately, the scale and complexity of this incident has exceeded both internal and commercial response capabilities. A specialized cybersecurity and recovery team from the Minnesota National Guard is now in the county supporting the investigation and restoration efforts. There has been no confirmation as to whether this attack is related to the one that the county suffered in January. Intent redirection vulnerability in third party SDK exposes Android wallets Microsoft is warning of a severe intent redirection vulnerability in a widely used third party Android SDK called Engage SDK. Discovered during routine research, this flaw allows apps on the same device to bypass Android Security sandbox and gain unauthorized access to private Data. With over 30 million installations of third party crypto wallet applications alone, PII user credentials and financial data were exposed to risk, the company said. The security blog adds that because Android apps frequently depend on external libraries, insecure integrations can introduce attack surfaces into otherwise secure applications. New Chaos variant targets misconfigured cloud deployments Researchers at darktrace have identified a new malware variant called Chaos, which can hit misconfigured cloud deployments and consequently expand beyond its traditional focus on routers and edge devices. Chaos is a cross platform malware capable of targeting Windows and Linux environments. It is assessed to be an evolution of another DDoS malware known as KG Kai, that has singled out misconfigured Docker instances. Darktrace added the recent shift in botnets such as Isuru and Chaos to include proxy services as core features demonstrates that denial of service is no longer the only risk that these botnets pose to organizations and their security teams. Be sure to register to join us later today for Hacking Vendor Trust, part of our ongoing Trust Month of episodes. On Super Cyber Friday, we'll be breaking down how to build trust with a vendor when a vendor becomes a trusted partner, and how to navigate people change at a trusted vendor. It's a full hour of discussion, so join our chat room to get involved and play a few fun games. Head on over to the events page@cisoseries.com to register. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:22]
B
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.