Risky Bulletin: Android switches to risk-based security updates

Summary4 min read

Podcast: Risky Bulletin | Host: risky.biz
Date: September 16, 2025

Episode Overview

This episode delivers a fast-paced roundup of major cybersecurity news. The primary focus is on Android's shift to prioritize monthly updates only for high-risk vulnerabilities, with a move to quarterly updates for lower-severity issues. Other key stories cover a self-replicating npm attack, a massive customer data breach at Kering (Gucci’s parent company), major sanctions and legal actions in cybercrime, and updates on large-scale DDoS attacks.

Key Discussion Points & Insights

1. Android’s New Risk-Based Update Policy

[00:04] Android will only issue monthly security updates for high-risk vulnerabilities; all other issues will be addressed in quarterly releases.
- Policy was implemented as of July 2025.
- Quoted Source: Android Authority.
- Implication: Users may experience delayed patches for moderate/low risks, potentially affecting device security for these threat levels.

2. NPM Registry Compromised by Self-Replicating Attack

[00:30] Malicious code was deployed to over 180 npm packages after an attacker compromised a JavaScript developer’s account.
- The attack included self-replicating code that spread to other libraries.
- Some compromised packages were published by CrowdStrike.
- The malware stole credentials and access tokens.

3. Global Regulation and Budgets in Cybersecurity

China:
- [01:03] New regulations require critical infrastructure operators to report serious breaches within one hour. Effective from November 2025.
Poland:
- [01:16] Cybersecurity budget increased to $1B (from $600M last year) due to rising Russian attacks on infrastructure.

4. Major Data Breach: Kering (Gucci's Parent Company)

[01:37] Hackers stole 43 million Gucci customer records and another 13 million from brands such as Balenciaga, Brioni, and Alexander McQueen.
- Source: Hack of Kering's Salesforce account.
- Hackers claimed to negotiate a $500,000 ransom (not paid).

5. Cryptocurrency Theft and Platform Fallout

[02:07] $7.7 million in crypto lost from the Yala Defi platform under unclear circumstances.
- Token value crashed 80% after breach disclosure.

6. Geopolitics and Nation-State Cyber Activity

[02:30] Ukraine claims DDoS attacks on Russia’s central government sites during Russian elections in occupied territories.
[02:51] Romania sent over 400 takedown requests for Russian propaganda in 2025; X (formerly Twitter) did not cooperate.

7. Technology Industry Updates

[03:18] Microsoft’s Copilot AI Assistant to be included with Microsoft 365 desktop suites starting October 2025—not auto-installed in the EU due to privacy regulations.
- Admins must opt out if they do not want Copilot rolled out.

8. Cyber Crime and Law Enforcement

[03:38] Breach Forums admin “Pompompur” re-sentenced to three years in prison after US DOJ appeal.
[03:54] Enrique Arias Gil, ex-university professor, added to Europol Most Wanted for aiding Russian hackers.
[04:09] Finnish authorities charge US national Daniel Lee Neward in the Vastamo psychotherapy hack case.

9. International Sanctions and Police Actions

[04:31] Cambodia arrests 48 suspects (mostly South Koreans) in scam compound raid in Phnom Penh.
[04:48] New Zealand sanctions Russian GRU unit 29155 (“Ember Bear”, “Cadet Blizzard”) for Ukraine-related cyberattacks.
- This unit was sanctioned by the EU in January 2025.

10. Industrial-Scale Phishing & Fraud

[05:09] Microsoft seizes 338 domains used for phishing Microsoft 365.
- Domains linked to the “Raccoon O365” phishing kit, used by over 850 users.
- Kit creators reportedly earned $100,000+.

11. Mobile Fraud on Google Play

[05:32] 220+ Android apps found part of click fraud operation—over 38 million downloads; clicked 2.3 billion ads per day before Google withdrew them.

12. Record-breaking DDoS Attack

[05:53] Isaru IoT botnet responsible for 11.5 Tbps DDoS attack—notably took down Steam during Black Wukong launch.
- Botnet managed by three people, 300,000 infected devices (mostly routers and cameras).

13. Hardware Security: Rowhammer Evolves

[06:15] Academics develop new Rowhammer variant targeting DDR5 memory chips.
- Research supported by Google, led to new standard: Per Row Activation Counting added as DDR5 defense.

Notable Quotes & Memorable Moments

On Android updates:

"Android will only issue monthly updates for high risk vulnerabilities. All other security issues will be fixed in quarterly updates."
— Claire Aird [00:04]
On npm attack:

"The attackers compromised a JavaScript developer's account. From there they deployed self-replicating code that spread to other libraries… The code stole credentials and other access tokens."
— Claire Aird [00:30]
On the Kering breach:

"Attackers stole 43 million customer records from Gucci and another 13 million combined from brands including Balenciaga, Brioni and Alexander McQueen… The hackers claim they negotiated a $500,000 ransom, which was not paid."
— Claire Aird [01:37]
On click fraud apps:

"More than 220 Android apps in the Google Play Store are part of a click fraud operation."
— Claire Aird [05:32]
On Rowhammer:

"Academics have developed a variation of the Rowhammer attack that can flip bits in DDR5 memory modules… a new defence mechanism named Per Row activation counting has been added to the DDR5 standard."
— Claire Aird [06:15]

Important Timestamps

00:04: Android announces risk-based security update policy
00:30: npm registry compromised with self-replicating attack
01:37: Kering (Gucci) customer data stolen in Salesforce breach
03:38: Breach Forums admin re-sentenced to prison
05:32: Discovery of click fraud apps in Google Play Store
05:53: Isaru IoT botnet launches record DDoS
06:15: New Rowhammer variant disclosed and mitigation added to DDR5

Tone & Style

The episode is succinct, authoritative, and news-focused, maintaining a professional yet urgent tone throughout. Claire Aird presents complex cybersecurity news in a clear and digestible format suitable for business and infosec audiences.

For more episodes and details: airlockdigital.com

Loading summary

Transcript1 lines

[00:04]
A
Android will only issue monthly updates for high risk vulnerabilities. A self replicating attack hits the NPM registry, breach, forums admin resentenced on appeal and hackers breach Gucci's parent company. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 17th of September and this podcast episode is brought to you by application allowlisting software maker Easy Airlock Digital. In today's top story, the Android mobile operating system will only ship monthly updates for high risk vulnerabilities. All other security issues will be fixed in quarterly updates, according to Android Authority. The new approach began in July. In other news, hackers have deployed malicious code to more than 180 npm packages. On Monday, the attackers compromised a JavaScript developer's account. From there, they deployed self replicating code that spread to other libraries. Some of the compromised packages appear to be published by CrowdStrike. The code stole credentials and other access tokens. The Chinese government will require critical infrastructure operators to report serious security breaches within one hour of detection. The new reporting rule will take effect in November. The Polish government will boost this year's cybersecurity budget to $1 billion. Officials cited an increase in Russian cyber attacks against critical infrastructure, such as such as hospitals and water utilities. According to the Financial Times, Poland's CyberSecurity budget was $600 million last year. Hackers have stolen customer data from the parent company of multiple fashion brands. Attackers stole 43 million customer records from Gucci and another 13 million combined from brands including Balenciaga, Brioni and Alexander McQueen. All the brands are owned by French company Kering. The data was stolen from the company's Salesforce account earlier this year. The hackers claim they negotiated a $500,000 ransom, which was not paid. A hacker has stolen $7.7 million worth of crypto assets from the Yala Defi platform. It's unclear how the funds were stolen. The value of the company's token crashed 80% this week after the breach came to light. Ukraine's military intelligence agency claims to have launched DDoS attacks on Russia's central the attacks coincided with Russian elections in occupied Ukrainian territories on Sunday. Russian officials confirmed the attacks but said the voting process was not affected. X has refused to cooperate with requests to take down Russian propaganda this year. Romania's communications watchdog sent more than 400 takedown orders to social media sites in 2025. All social networks cooperated except X, which did not respond. Romania held its presidential elections in May after cancelling them year due to Russian interference. Microsoft's Copilot AI Assistant will be included with desktop versions of the 365 office suite from October. Copilot will not be installed automatically in the EU due to privacy regulations. Admins who don't want an AI assistant rolled out to their users should opt out before then. A hacking forum Admin has been re sentenced in the US to three years in prison following an appeal by the Department of Justice. Brian Connor Fitzpatrick used the online handle Pompompur. He was the administrator of the Breach forum's hacking community. He was arrested in March 2023 and initially sentenced to time served. A former university professor accused of helping Russian hackers has been added to Europol's Most Wanted list. Enrique Arias Gil allegedly helped Russian hacking groups promote their DDoS attack services to Spanish speaking audiences. Arias Gil is a Spanish citizen but is currently in Russia. Finnish authorities have charged a second suspect over the 2020 hack of the Vastamo psychotherapy chain. The individual has been identified as 28 year old US national Daniel Lee Neward. He's currently living in Estonia. He was allegedly involved in extorting victims alongside Finnish hacker Alexandri Kivamaki. Kivamaki received a six year prison sentence and was recently released after serving half of that. Cambodian Authorities have arrested 48 people during a raid of a scam compound. Two thirds of the suspects are South Koreans. The compound operated out of a seven storey building in the country's capital, Phnom Penh. New Zealand has imposed sanctions on a Russian military unit linked to cyber attacks against Ukraine. Sanctions were levied against GRU unit 29155, also known as Ember Bear and Cadet Blizzard. The EU sanctioned the same unit in January. Microsoft's legal team has seized 338 domains operated by a phishing service. The domains hosted phishing Pages for Microsoft 365. They were created with a new phishing kit named Raccoon O365. The service launched in June last year and had more than 850 registered users. Microsoft estimated the creators made around $100,000 from renting out the fishing kit. More than 220 Android apps in the Google Play Store are part of a click fraud operation. The apps open hidden windows on infected devices where they interact with online ads. According to Human Security, the apps were downloaded more than 38 million times. They were clicking on more than 2.3 billion ads per day before Google took them down an IoT. Botnet is responsible for a record breaking 11.5 terabits per second. DDoS attack the Isaru botnet launched in August last year. It was responsible for multiple large scale DDoS attacks including one that took down Steam during the launch of the Black Wukong video game. According to Chinese security firm Xianxian, the botnet is managed by three individuals and has infected almost 300,000 devices. Most of the infected devices are routers and security cameras. And finally, academics have developed a variation of the Row Hammer attack that can flip bits in DDR5 memory modules. The researcher team supported by Google successfully tested the new attack against 15 memory chips made by SK Hynix. Rohammmer is an attack against the physical implementation of memory chips that can flip nearby bits through repeated access. As a result of the research, a new defence mechanism named Per Row activation counting has been added to the DDR5 standard and that is all for this podcast edition. Today's show was brought to you by our sponsor Airlock Digital. Find them@airlockdigital.com thanks for your company Sam.