Risky Bulletin Newsletter
July 06, 2026
Risky Bulletin: Android drops PIN guessing limit from 1,800 attempts to just 20
Written by
News Editor
This newsletter is brought to you by Sublime Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.
Android 17, released last month, has shipped with stricter protections against lockscreen PIN and password guessing attacks.
Google has reduced the maximum number of failed attempts from 1,800 to just 20, and the timeouts between failed attempts are now way more aggressive.
The previous Android 16 allowed ten wrong guesses in the first minute, which increased up to 1,800 across five years.
The new limits have now been taken even lower, with just five failed attempts in the first minute and larger and larger timeouts applied after every failed attempt. With all the incremental timeouts applied, the twentieth PIN guess attempt can be entered after 14 years of waiting, after which no more guesses are allowed.

According to Mishaal Rahman, Community Engagement Manager for Android at Google, the new system supports duplicate guess detection for situations when users enter the same PIN or password multiple times.
"When enabled, users aren't penalized for entering the same incorrect guess multiple times, and these rejections don't increase the incorrect guess count. And the system displays a unique message when a duplicate incorrect guess is entered," Rahman says.
The new lockscreen PIN and password guess limit is part of a swath of new security features that Google has added to Android this year that were designed to hamper phone thieves and the dark economy of stolen phone resellers. While the features won't protect phones from actual theft, it will make it harder to break into the device and access the owner's data.
The new system was actually added to Android 16 QPR2 last December, but shipped broadly with Android 17, released last month.
While the new version has been out for almost four weeks now, users will have to wait for it a little longer, as phone makers usually take a few months to roll out the OS on new and older devices. See table below.

Risky Business Podcasts
The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!
Breaches, hacks, and security incidents
AdaptHealth discloses breach to the SEC: American medical equipment maker AdaptHealth has notified the SEC and investors of a security breach. The intruder accessed patient data and internal documents stored in a cloud-based platform. The hackers contacted the company on June 15. No hacking or ransomware group has yet taken credit for the attack. Based on the details and timeline provided by AdaptHealth, the company appears to be one of the victims in a hacking spree that targeted the Oracle PeopleSoft platform. [SEC filing // Reuters]
Grand Line hacked by Ukrainian hacktivists: A Ukrainian hacktivist group has hacked one of Russia's largest construction companies. The Cyber Anarchy Squad claims to have wiped 3,000 servers and workstations and 700 virtual machines in a hack of Russian company Grand Line. The hackers also allegedly deleted all backups and stole more than 650 TB of sensitive documents. The breach took place in May but was only recently disclosed.
A brilliant operation by Cyber.Anarchy.Squad. 💪They disclosed it only recently, for obvious reasons. #HelpUkraine
— IT Army UA (@itarmy-ua.bsky.social) June 29, 2026 at 11:14 PM
[image or embed]
General tech and privacy
Alibaba bans employees from using Claude: Chinese tech company Alibaba has banned employees from using Anthropic's Claude model for work-related tasks. Alibaba allegedly imposed the ban after researchers found hidden code inside Claude that identified China-based users. Anthropic said the code was added in March to identify unauthorized resellers and distillation attacks. The American company also accused Alibaba of using 25,000 accounts to distill its Claude model. [TheNextWeb // Thariq Shihipar tweet confirming tracking code // Reuters]
Congratulations, Claude! Your recent spyware has successfully convinced Alibaba to disable all AI products under Anthropic.
— Denise Wu (@denisewu.bsky.social) July 3, 2026 at 10:11 AM
[image or embed]
Australia sues Amazon: Australia has sued Amazon for introducing ads for Prime Video account holders. The consumer and competition watchdog says Amazon misled consumers when it sold Prime accounts on the promise they would not see ads. The ACCC is investigating the company for unfair unilateral changes to the Prime Video terms of service. [ABC // ACCC]
Edge adds Google sign-ins: Microsoft will let users use their Google account to sign into their Edge browser profiles, as a secondary option on top of the current Microsoft account support. [Thurrott]
uBO adds ClickFix protection: The uBlock Origin ad blocker has added support to blocking known websites that show malicious ClickFix popups. ClickFix popups try to trick users into running malicious commands in their command-line terminals that end up installing malware. Over the past year, ClickFix attacks have become a major malware delivery vector. [GitHub]
SIO lawsuit dismissed: A US court has dismissed a lawsuit filed by the America First Legal fund against the Stanford Internet Observatory for allegedly "censoring" an antivaxxer by researching online misinformation.
This lawsuit was a cynical, dishonest, and confused effort to punish tech researchers and others for exercising core First Amendment rights. It should have been thrown out a long time ago, but better late than never.
— Jameel Jaffer (@jameeljaffer.bsky.social) July 2, 2026 at 3:32 PM
[image or embed]
Government, politics, and policy
PEGA member hacked with Pegasus: A former Member of the European Parliament was repeatedly hacked with the Pegasus spyware. Stelios Kouloglou had his phone hacked while on the PEGA commission, tasked with investigating spyware abuses inside EU member states. The hacks took place between 2022 and 2023, when the commission was active and compiling its reports. The infections were spotted by researchers at CitizenLab, who did not attribute the attacks. [CitizenLab]
The targeting of Kouloglou is not an isolated incident but rather “part of a system”. The @ec.europa.eu claim that it is “working to address the illegal use of spyware from various angles of EU law” is hollow. It will take no action to regulate the use of spyware by national governments.
— Sophie in't Veld (@sophieintveld.bsky.social) July 3, 2026 at 1:31 PM
[image or embed]
I’m shocked that many other members of the European Parliament are not protesting against this alarming escalation. Targeting one is targeting everyone around them, including former colleagues who chose to remain silent today.
— Noura Aljizawi (@noura.bsky.social) July 3, 2026 at 9:32 PM
[image or embed]
EU kids social media ban is coming: According to sources, the European Commission is set to announce a social media ban for kids in September during Ursula von der Leyen's annual State of the Union speech. [Euractiv]
Australia's Sender ID registry enters into effect: The SMS Sender ID Register has entered into effect in Australia as part of an effort to counter SMS scams. Businesses who want to send branded SMS messages to Australians will have to register in the new database. The register is shared by Australian telcos and used to verify mass SMS senders. Companies that registered will have their SMS messages labeled as "verified" when sent to Australian phones. The database entered into effect this month. [ABC // ACMA]
The big crypto laundering of 2025: Iran, Russia, North Korea, and other sanctioned entities moved more than $100 billion worth of cryptocurrency last year. The sum is eight times the amount of funds moved by the same entities the year before. Blockchain analysis firm Chainalysis says sanctioned countries have gotten better at evading sanctions by creating their own digital tokens and crypto exchanges. [WSJ]
Your regular reminder that cryptocurrency does in fact have a use case and that use case is crime
— Rory Cellan-Jones (@rorycj.bsky.social) July 5, 2026 at 8:17 AM
Sponsor section
In this Risky Business sponsor interview, Catalin Cimpanu talks with Alex Orleans, Head of Threat Intelligence at Sublime Security, about the increase in email attacks leveraging Zoom invites and other video conferencing tools.
Arrests, cybercrime, and threat intel
Favicons on the web: A BishopFox report introduces threat intel researchers to how to track web infrastructure using favicons, since most servers and apps these days have a backend panel, which typically has a favicon on the login page. The most interesting fact in the report is a spike in a product's favicons in internet scan data after the disclosure of a vulnerability, as tons of honeypots are deployed to catch possible attacks. [BishopFox // GitHub repo]
WordPress sites run on old PHP: More than 70% of all WordPress sites are running on outdated PHP server versions. This puts a large chunk of the WordPress ecosystem at risk due to the lack of security updates on the underlying server. The CMS is used to power over 40% of the web. [Censys]
ClickFix campaigns: Malwarebytes has spotted a pretty active ClickFix campaign impersonating Cloudflare and Google. The campaign was generated using a ClickFix kit, which was pretty obvious from the comments left in the ClickFix page. The final payload is the ResiLoader, which is then used to deliver other baddies. [Malwarebytes]

Kairos goes offline: The Kairos data extortion group has been inactive and its websites have been offline for almost a month. The group had been active since November 2024 before its abrupt shutdown last month. Before Kairos went offline, its leak site showed a seizure banner with the logo of Ukraine's intelligence agency SBU. Ukrainian officials have never announced a Kairos takedown, suggesting an exit-scam or an intentional wind-down. [Ransom-ISAC]
Malicious npm packages: It's a day ending in "y" so someone found malware on npm. This time, a cluster of 25 malicious libraries. They all shared the same markers and have since been pulled off the registry. [SafeDep]
New ransomware group: A new ransomware group named Wallstreet has been spotted on the dark web, shaming victims on its leak site. So far, only five. [RansomLook // IntelFusions]

Malware technical reports
Kali365: Phishing-as-a-Service portals are slowly becoming the new "infostealers for hire" and ads for these kinds of services are everywhere. The latest report on this emerging trend and services is on a service named Kali365. [Ransom-ISAC]
NovaCookies PhaaS: And speaking of the PhaaS devil, a new platform named NovaCookies that splintered from the old Sneaky 2FA service has been quietly gaining traction in the cybercrime underground. The service supports AitM phishing, but unlike Sneaky 2FA, which only supported Microsoft accounts, Nova can also target many other services as well. [Proofpoint]
Proofpoint observed an intermittent burst in Sneaky2FA activity until February 2026, when researchers first identified the NovaCookies variant. Malicious activity intensified from March to May as this new variant was adopted, but declined in June.
— ThreatInsight (@threatinsight.proofpoint.com) July 1, 2026 at 6:29 PM
[image or embed]
Avalon malware framework: Nevan Beal and Sam Decker have discovered Avalon, an AI-assisted malware framework that is being distributed via multi-chain phishing campaigns. Once it gets a foothold, the framework is used to deploy the CrownX ransomware. [Blackpoint Cyber]
Linux backdoor: Security researcher dmpdump looks at a new backdoor that appears to have been coded to infect routers from Chinese company iKuai. [dmpdump]
PamStealer: A new macOS infostealer has been spotted in the wild. Named PamStealer, the infostealer stands out due to its use of the macOS PAM to prompt and steal passwords. [Jamf]
Santa Stealer: Rostelecom's security team has published a pretty technical report on the Santa Stealer MaaS. The report concludes that the Santa admin has access to all the stolen data collected by customers but also access to each of their infected hosts. Love me some MaaS backdoors! [Rostelecom]
TimbreStealer: TimbreStealer, an infostealer first spotted in 2024 in campaigns targeting Mexican companies, is still active, still targeting Mexican companies. [WatchGuard // old Cisco Talos report]
Akira via malvertising: The Akira ransomware has been delivered through a bunch of methods lately, but one that's becoming increasingly popular is the use of malicious ads. [The DFIR Report]

Sponsor section
In this sponsored product demo Sublime Security co-founder and CEO Josh Kamdjou joins Risky Business podcast host Patrick Gray to show off the company's email security platform, including its latest agentic AI bells and whistles.
APTs, cyber-espionage, and info-ops
Armored Likho: A new APT group is targeting government agencies and electric power companies across Russia, Brazil, and Kazakhstan. The Armored Likho group's attacks blend espionage with financially-motivated campaigns. Its main tool is a previously unknown infostealer named BusySnake. The group is also tracked by other vendors as Eagle Werewolf. Kaspersky says the group "remains highly active." [Kaspersky]
Kimsuky: The team at Synaptic Systems has published a report on how DPRK APT group Kimsuky is using CHM files as the initial malware entry point in recent campaigns. [Synaptic Systems]
New Chinese info-op: Researchers have identified a Chinese influence operation posing as young attractive women targeting men in Taiwan. The network launched in May and currently consists of almost 300 Threads accounts of young women looking to date ONLY Taiwanese men. NewsGuard says the cluster uses an account naming pattern that was also used by another anti-Taiwan campaign in February. [NewsGuard]

Vulnerabilities, security research, and bug bounty
Security updates: Amasty, Asterisk, Guix, OpenWRT, Opera, Splunk, TP-Link, WatchGuard.
Bad Epoll vulnerability: The Linux kernel has patched a vulnerability that can be used to gain root access on Linux desktops, servers, and Android devices. Tracked as CVE-2026-46242, the bug is a race condition in the Linux kernel epoll I/O subsystem. While the race condition window is small, security researcher Jaeyoung Chung says the exploit is 99% reliable. He named the vulnerability Bad Epoll. [GitHub]
ColdFusion bug write-up: Last week, Adobe released security updates, including 11 bugs for the old ColdFusion tech. WatchTowr looks at one of the bugs, a perfect 10/10 CVSS that could be used to take over servers where the RDS (Remote Development Services) has been enabled. Luckily, this protocol is disabled by default. [WatchTowr]
Guix fixes RCE: The GNU/Linux package manager Guix has released critical security updates last week. The vulnerabilities can be exploited via malicious packages or compromised substitute servers. They can be used to gain root access or to replace legitimate binaries with malicious ones. [Guix]
Opera GX forced-mod install: Opera has patched a security flaw that could have allowed malicious sites to force-install a browser mod on the company's GX gaming browser. No user prompt or interaction was needed. The malicious mod could have then been abused to inject code in other sites and steal user credentials. Opera says the bug was reported through its bug bounty program and has not been abused in the wild. [Opera]
Anti-cheat vulnerabilities: There's three unpatched bugs in GamersFirst's Anti-Cheat driver, the anti-cheat engine used for the company's games. Security researchers disclosed the bugs after the game maker failed to respond. [CERT/CC // FzRsLLaSheR on GitHub]
Infosec industry
Threat/trend reports: Check Point, Dr.Web, and KELA have recently published reports and summaries covering various threats and infosec industry trends.
New tool—AI Defense Matrix: Lenny Zeltser and Sounil Yu have published the AI Defense Matrix, a structured framework for defending AI systems.
New tool—Encrypted Spaces: A team of security researchers, including some of the old Signal peeps, have released Encrypted Spaces, a protocol to E2E encrypt collaboration platforms/spaces.
New tool—Nox: Security researcher Prepakis Georgios has open-sourced Nox, a modular Go framework for attack surface management, reconnaissance, and vulnerability scanning.
New tool—T3MP3ST: A security researcher going by the name of Pliny has released T3MP3ST, a multi-agent offensive-security framework, built to turn AI coding agents into zero-day hunters.
KubeCon 2026 India videos: Talks from the KubeCon 2026 India conference, which took place last month, are available on YouTube.
Ekoparty 2026 videos: Talks from the Ekoparty 2026 security conference, which took place last month, are available on YouTube.
Risky Business podcasts
In this edition of Seriously Risky Business, Tom Uren and James Wilson talk about Chinese AI labs stealing the special sauce of American AI models in 'distillation attacks'. These attacks are fed by a grey market in which Chinese consumers buy access to American models, where one of the byproducts is logs of user requests and responses. These make wonderful inputs into distillation attacks and the whole market might be subsidised by Chinese AI Labs paying for these logs.