Risky Bulletin: Android Switches to Risk-Based Security Updates

Podcast: Risky Bulletin | Host: risky.biz
Date: September 16, 2025

Episode Overview

This episode delivers a fast-paced roundup of major cybersecurity news. The primary focus is on Android's shift to prioritize monthly updates only for high-risk vulnerabilities, with a move to quarterly updates for lower-severity issues. Other key stories cover a self-replicating npm attack, a massive customer data breach at Kering (Gucci’s parent company), major sanctions and legal actions in cybercrime, and updates on large-scale DDoS attacks.

Key Discussion Points & Insights

1. Android’s New Risk-Based Update Policy

• [00:04] Android will only issue monthly security updates for high-risk vulnerabilities; all other issues will be addressed in quarterly releases.
  • Policy was implemented as of July 2025.
  • Quoted Source: Android Authority.
  • Implication: Users may experience delayed patches for moderate/low risks, potentially affecting device security for these threat levels.

2. NPM Registry Compromised by Self-Replicating Attack

• [00:30] Malicious code was deployed to over 180 npm packages after an attacker compromised a JavaScript developer’s account.
  • The attack included self-replicating code that spread to other libraries.
  • Some compromised packages were published by CrowdStrike.
  • The malware stole credentials and access tokens.

3. Global Regulation and Budgets in Cybersecurity

• China:
  • [01:03] New regulations require critical infrastructure operators to report serious breaches within one hour. Effective from November 2025.
• Poland:
  • [01:16] Cybersecurity budget increased to $1B (from $600M last year) due to rising Russian attacks on infrastructure.

4. Major Data Breach: Kering (Gucci's Parent Company)

• [01:37] Hackers stole 43 million Gucci customer records and another 13 million from brands such as Balenciaga, Brioni, and Alexander McQueen.
  • Source: Hack of Kering's Salesforce account.
  • Hackers claimed to negotiate a $500,000 ransom (not paid).

5. Cryptocurrency Theft and Platform Fallout

• [02:07] $7.7 million in crypto lost from the Yala Defi platform under unclear circumstances.
  • Token value crashed 80% after breach disclosure.

6. Geopolitics and Nation-State Cyber Activity

• [02:30] Ukraine claims DDoS attacks on Russia’s central government sites during Russian elections in occupied territories.
• [02:51] Romania sent over 400 takedown requests for Russian propaganda in 2025; X (formerly Twitter) did not cooperate.

7. Technology Industry Updates

• [03:18] Microsoft’s Copilot AI Assistant to be included with Microsoft 365 desktop suites starting October 2025—not auto-installed in the EU due to privacy regulations.
  • Admins must opt out if they do not want Copilot rolled out.

8. Cyber Crime and Law Enforcement

• [03:38] Breach Forums admin “Pompompur” re-sentenced to three years in prison after US DOJ appeal.
• [03:54] Enrique Arias Gil, ex-university professor, added to Europol Most Wanted for aiding Russian hackers.
• [04:09] Finnish authorities charge US national Daniel Lee Neward in the Vastamo psychotherapy hack case.

9. International Sanctions and Police Actions

• [04:31] Cambodia arrests 48 suspects (mostly South Koreans) in scam compound raid in Phnom Penh.
• [04:48] New Zealand sanctions Russian GRU unit 29155 (“Ember Bear”, “Cadet Blizzard”) for Ukraine-related cyberattacks.
  • This unit was sanctioned by the EU in January 2025.

10. Industrial-Scale Phishing & Fraud

• [05:09] Microsoft seizes 338 domains used for phishing Microsoft 365.
  • Domains linked to the “Raccoon O365” phishing kit, used by over 850 users.
  • Kit creators reportedly earned $100,000+.

11. Mobile Fraud on Google Play

• [05:32] 220+ Android apps found part of click fraud operation—over 38 million downloads; clicked 2.3 billion ads per day before Google withdrew them.

12. Record-breaking DDoS Attack

• [05:53] Isaru IoT botnet responsible for 11.5 Tbps DDoS attack—notably took down Steam during Black Wukong launch.
  • Botnet managed by three people, 300,000 infected devices (mostly routers and cameras).

13. Hardware Security: Rowhammer Evolves

• [06:15] Academics develop new Rowhammer variant targeting DDR5 memory chips.
  • Research supported by Google, led to new standard: Per Row Activation Counting added as DDR5 defense.

Notable Quotes & Memorable Moments

• On Android updates:

  "Android will only issue monthly updates for high risk vulnerabilities. All other security issues will be fixed in quarterly updates."
  — Claire Aird [00:04]

• On npm attack:

  "The attackers compromised a JavaScript developer's account. From there they deployed self-replicating code that spread to other libraries… The code stole credentials and other access tokens."
  — Claire Aird [00:30]

• On the Kering breach:

  "Attackers stole 43 million customer records from Gucci and another 13 million combined from brands including Balenciaga, Brioni and Alexander McQueen… The hackers claim they negotiated a $500,000 ransom, which was not paid."
  — Claire Aird [01:37]

• On click fraud apps:

  "More than 220 Android apps in the Google Play Store are part of a click fraud operation."
  — Claire Aird [05:32]

• On Rowhammer:

  "Academics have developed a variation of the Rowhammer attack that can flip bits in DDR5 memory modules… a new defence mechanism named Per Row activation counting has been added to the DDR5 standard."
  — Claire Aird [06:15]

Important Timestamps

• 00:04: Android announces risk-based security update policy
• 00:30: npm registry compromised with self-replicating attack
• 01:37: Kering (Gucci) customer data stolen in Salesforce breach
• 03:38: Breach Forums admin re-sentenced to prison
• 05:32: Discovery of click fraud apps in Google Play Store
• 05:53: Isaru IoT botnet launches record DDoS
• 06:15: New Rowhammer variant disclosed and mitigation added to DDR5

Tone & Style

The episode is succinct, authoritative, and news-focused, maintaining a professional yet urgent tone throughout. Claire Aird presents complex cybersecurity news in a clear and digestible format suitable for business and infosec audiences.

For more episodes and details: airlockdigital.com