ProtonMail Launches Tor Hidden Service

Encrypted email provider ProtonMail announced this week the launch of a Tor hidden service whose role is to help combat the censorship and surveillance efforts of totalitarian governments.

ProtonMail developers pointed out that using Tor has several advantages, including extra layers of encryption for communications, protection for the user’s real IP address, and the possibility to bypass censorship mechanisms.

On the downside, accessing the service over Tor will have a negative impact on performance, and the hidden website is still experimental so it may not be as reliable as the regular site.

The new onion website, set up with the aid of the Tor Project, can be accessed at https://protonirockerxow.onion. The URLs of hidden services are encryption key hashes, which makes them appear as a string of 16 random characters. However, ProtonMail hashed millions of encryption keys until it found a hash that made at least some sense in an effort to help users identify phishing attacks.

The hidden service is only accessible over HTTPS and it uses a certificate from Digicert, the company that also issued an onion SSL certificate to Facebook. Detailed instructions on how to access the service over Tor have been made available by ProtonMail.

ProtonMail over Tor

“Since our onion site is still experimental, we are not making any recommendations yet regarding the use of ProtonMail’s onion site,” ProtonMail developers said in a blog post. “Even without using Tor, your ProtonMail inbox is still strongly protected with PGP end-to-end encryption, secure authentication (SRP), and optional two-factor authentication. However, ProtonMail definitely has users in sensitive situations where the extra security and anonymity provided by Tor could literally save lives.”

ProtonMail has been around since 2014, but it only became available to the public in March 2016. The service can be accessed via a desktop web browser or the iOS and Android mobile apps.

ProtonMail is currently the largest encrypted email service, with more than 2 million users. Its popularity continues to increase as governments try to prevent citizens from using encrypted communications tools and attempt to expand their surveillance powers.

By Eduard Kovacs


The Malware Battle Is Mostly Silent

Malware’s success relies on the ability to remain stealthy, and the authors of malicious programs go to great lengths to make that happen, while also ensuring that their identity remains hidden.

As a general rule, malware developers tend to avoid contact with security researchers to avoid stepping into the spotlight, but this rule can be broken occasionally. Having worked before with software developers, I know how keen some are about correctly presenting the capabilities of their creations. At the time, that made perfect sense, because an application’s popularity (and sometimes price) is influenced not only by the included capabilities and looks, but also by accurate reviews.

It was surprising to see there are malware developers who would come out of the shadows to voice discontent regarding a report on their “product.” However, such developers exist, and the creator of a piece of mobile malware called Bilal Bot is one example. Seeing that IBM’s report on the malware is outdated, the author decided to contact the security firm to address this.

Bilal Bot was detailed back in April, alongside other mobile malware targeting Android, when researchers suggested that it was less sophisticated than its competitors GM Bot and KNL Bot, and that it was also cheaper. Now the malware developer says that, because the product moved from the beta state it was in April, its feature list and price changed, and IBM’s report should be updated. Moreover, the developer said he was open to an interview about the malware, IBM reveals.

Usually, when a developer requests an update to a report on their software specifically to bring new features into the spotlight, it means they want to increase the buzz around the program, and this is exactly what Bilal Bot’s developer seems to have attempted here as well.

As it turns out, however, this case represents an exception to the rule, as most malware developers would rather stay in the shadows than talk to security researchers. Most don’t like the kind of publicity security reports provide, because these reports don’t allow malware developers to stay under the radar, a malware hunter said, responding to SecurityWeek inquiry.

The security researcher also told us that malware creators would leave messages in their code if they want to, but that they would normally try to avoid attention from the anti-virus/security community, because it could hurt their business. What’s more, he says, threats that make it constantly to the headlines evolve to better avoid detection, so reporting on malware could turn into a double-edged sword.

Cybercriminals would certainly use anything to increase their legitimacy, including abusing security reports as “social proof,” Heimdal Security’s Andra Zaharia tells SecurityWeek. Although it’s still surprising that Bilal Bot’s creator adopted this behavior, it’s clear that a malware developer exhibiting the characteristics of a legitimate business owner would want their product to be correctly portrayed, otherwise pricing would be impacted.

Instead of abusing news reports for fame, cybercriminals usually go quiet after security researchers report on their creations, Maya Horowitz, Group Manager, Threat Intelligence at Check Point, told SecurityWeek.

“We have seen malware disappear after our reports, as in the case of the Nuclear Exploit Kit this last spring. Most recently, we saw the Cerber ransomware developers adapt to counter our research and decryption tool. The developers even left a message to anyone using our decryption tool, saying that they had modified the malware. Usually malware developers try to lower their profile after the malware is revealed and attempt to upgrade it to avoid discovery,” Horowitz says.

However, she does agree that security reports can be abused as well, because “breaches demonstrate the malware’s efficiency.” Stuxnet, she says, is a great example of how hackers can learn from reports about other malware and implement the same tactics in their own products.

Kaspersky Lab’s Anton Ivanov, senior malware analyst, also believes that threat actors always keep an eye on security blogs to find new techniques for their malware. Thus, as soon as detailed information about a vulnerability is published, an increase in the usage of that vulnerability can be observed, he says.

Security reports, Ivanov says, tend to be bad advertising for the malware, because that malicious program becomes known to security researchers. However, he also reveals that malware developers would sometime contact Kaspersky via embedded data, “which is usually encrypted and located in some part of malware module.” These messages, he says, usually contain greetings to researchers, and one came from Angler’s developers, located in FLV exploit.

However, not all such messages are greetings, as Emsisoft Malware Lab’s researches have often discovered. Most recently, angry with the researcher’s ability to break the encryption of their ransomware called Apocalypse, the creator of this threat decided not only to include abusive comments in the malware’s code, but also to rename the malicious program to “Fabiansomware.” The coder’s hate was focused at Fabian Wosar, Emsisoft CTO and head of the company’s Malware Research Lab.

For security researchers, the fact that malware authors include abusive messages in their code comes as an acknowledgement of their work. Thus, researchers will continue to report on new and updated malware, regardless of whether developers are dissatisfied with how their malware is portrayed or are unhappy that they made it to the headline.

“We believe it’s crucial to inform Internet users, whether home users or people involved in companies, of emerging cyber threats. It’s not only about building awareness, but it’s also an essential tool to help people learn how to get protected,” Andra Zaharia said. “We believe that spreading correct and relevant information about new and improved malware is an important part of helping people become more aware of the issue and its potential impact.”

The general consensus is that while security researchers will continue to publish relevant information about discovered threats, already established malware families will continuously evolve in their attempt to avoid detection. Their developers will certainly try to stay as hidden as possible. Hungry enough for attention, newcomers might contact security researchers to point out incorrect reports, but the battle with malware remains mostly a silent one.

By Ionut Arghire


Sophos Unveils Next-Gen Security Product “Intercept X”

In cyber security, the enemy is continually changing and evolving — and defenses against that enemy must adapt and evolve to meet the new threats. Unveiled today, Sophos Intercept X is an example of that evolution, bringing next-gen techniques to the latest threats.

‘Next-gen’ itself is difficult to define. “One of the areas we struggle with,” said Dan Schiappa, senior vice president of the Sophos Enduser Security Group in conversation with SecurityWeek, “is finding a real unified definition for the term. There is a unified definition for a next gen firewall, but for endpoint products there’s just a variety of different flavors.”

“You have to be able to tackle three critical areas covering the whole spectrum,” said Schiappa: “prevention, detection, and clean and respond — and all with the latest technologies. Only when you do that can you be called ‘next-gen’.”

Intercept X is designed to bring new technology to solving the last three of the Nasty Nine elements: crypto ransomware, exploits and clean and respond; and it does so with zero reliance on malware signatures.

All crypto ransomware has one particular characteristic: it encrypts files. Intercept X continuously monitors for the start of an encryption process. “When a process starts to encrypt,” explained Schiappa, “we create a mechanism that does behavioral analysis on that process. At the same time, we save a pre-encrypted version of the affected file into a safe store in an obfuscated area. If we decide that it is a malicious process and we need to evict it, we’ll shut the process down and we’ll clean it up; but we’ll also return the files back to their pre-encrypted state.” Intercept X stops any ransomware, whether it’s known or unknown, and cleans and restores the original files. “If our behavioral analysis indicates that the process is legitimate,” he added, “we just let it continue.”

The anti-exploit part of Intercept X is new. Statistically, 90% of breaches involve exploits; and 90% of the exploited vulnerabilities are already known. But there’s an average delay of 193 days between publication of a vulnerability and that vulnerability being patched on site. Since all Patch Tuesdays are followed by Exploit Wednesdays, there is a huge window of opportunity for vulnerabilities to be exploited. Rather than tackle the vulnerabilities or the exploits directly, Sophos has determined 24 different techniques used within exploits.

“There were about 7000 vulnerabilities published last year,” explained Schiappa, “attacked in hundreds of thousands of different ways — but all using one or more of the 24 techniques.” By monitoring and blocking the exploit techniques, Intercept X is able stop zero-day exploit attacks without any reference to malware file signatures. Schiappa expects one or two new techniques to appear each year, which will be analyzed and countered, “but we’re no longer on the treadmill of malware and variants continually changing.”

According to Sophos, 66% of IT staff lack incident response skills. Since no security is perfect, companies will get breached regardless of their security defenses. Incident response has become an important part of security’s armory — and the third part of Intercept X is designed to help companies operate a meaningful response. This provides both clean-up and forensics.

“If we see a hacker or piece of malware trying to use one of the known exploit techniques, a data recorder running on the endpoint sends a ‘root-cause chain’ of data up to Sophos Central where we build a report on what happens. We provide the report in different levels of depth suitable for anything from a defense contractor to a small retail store.” At one level, the user can click on the alert notification and Intercept X will show “what happened, where and when it happened, who was logged on at the time, and how it happened. It also provides a list of next steps for the novice incident responder.”

More advanced users can delve deeper. “We provide an asset-based table-driven report for the experts,” said Schiappa. This provides specifics, like what registry changes were made, what processes were launched, and so on. “You can click on specifics to get more detail and see the course the attack.” The final level is a complete visualization of the attack that can be viewed in its entirety.

Intercept X can be installed as a self-contained stand-alone product. Where the primary Sophos central endpoint product is already installed, the agents from both products will merge to provide a single endpoint security product. Alternatively it can run alongside competitor products, without any interference, for a layered security approach.

By Kevin Townsend


Obama Prepares to Boost U.S. Military’s Cyber Role

The Obama administration is preparing to elevate the stature of the Pentagon’s Cyber Command, signaling more emphasis on developing cyber weapons to deter attacks, punish intruders into U.S. networks and tackle adversaries such as Islamic State, current and former officials told Reuters.

Under the plan being considered at the White House, the officials said, U.S. Cyber Command would become what the military calls a “unified command” equal to combat branches of the military such as the Central and Pacific Commands.

Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, the officials said. That would give Cyber Command leaders a larger voice in arguing for the use of both offensive and defensive cyber tools in future conflicts.

Both organizations are based at Fort Meade, Maryland, about 30 miles north of Washington, and led by the same officer, Navy Adm. Michael S. Rogers.

A former senior intelligence official with knowledge of the plan said it reflects the growing role that cyber operations play in modern warfare, and the different missions of the Cyber Command and the NSA. The official spoke on condition of anonymity.

A Cyber Command spokesman declined comment on the plan, and the NSA did not respond to requests for comment.

Established in 2010, Cyber Command is now subordinate to the U.S. Strategic Command, which oversees military space operations, nuclear weapons and missile defense.

U.S. officials cautioned that details of the plan, including some aspects of Cyber Command’s new status, are still being debated.

It was unclear when the matter will be presented to President Barack Obama for final approval, but the former senior intelligence official said it was unlikely anyone would stand in the way.

A senior official, speaking on condition of anonymity, said the administration was “constantly reviewing if we have the appropriate organizational structures in place to counter evolving threats, in cyber space or elsewhere.”

“While we have no changes to this structure to announce, the relationship between NSA and Cyber Command is critical to safeguarding our nation’s security,” the official said.

The Pentagon acknowledged earlier this year that it has conducted cyber attacks against Islamic State, although the details are highly classified.

“We are dropping cyber-bombs. We have never done that before,” Deputy Defense Secretary Robert Work said in April.

The Washington Post reported last month that Pentagon leaders had been frustrated with the slow pace of Cyber Command’s electronic offensive against Islamic State, militants who control parts of Iraq and Syria and have sympathizers and supporters worldwide.

In response, Rogers created Joint Task Force Ares to develop new digital weapons against Islamic State and coordinate with the Central Command, which is responsible for combat operations in the Middle East and South Asia.

The new task force has “the specific mission to accomplish cyberspace objectives in support of counter-ISIL operations,” a Cyber Command statement said. Task Force Ares, it said, “comprises operations and intelligence professionals from each of the military services.”

James Lewis, a cyber security expert at the Center for Strategic and International Studies, said the plan that will be presented to Obama highlights how Cyber Command, reliant on the NSA in its early years, is developing its own work force and digital tools.

“It reflects the maturing of Cyber Command and its own capabilities,” Lewis said.

Defense Secretary Ash Carter hinted at the higher status for Cyber Command in an April speech in Washington, in which he said the Pentagon is planning $35 billion in cyber spending over the next five years.

“Adapting to new functions will include changes in how we manage ourselves in cyberspace,” Carter said.

NSA’s primary mission is to intercept and decode adversaries’ phone calls, emails and other communications. The agency was criticized for over-reach after former NSA contractor Edward Snowden revealed some of its surveillance programs.

NSA’s focus is gathering intelligence, officials said, often favoring the monitoring of an enemy’s cyber activities. Cyber Command’s mission is geared more to shutting down cyber attacks – and, if ordered, counter attacking.

The NSA director has been a senior military officer since the agency’s founding in 1952. Under the plan, future directors would be civilians, an arrangement meant to underscore that NSA is not subordinate to Cyber Command.

By Warren Strobel

Source: Reuters

Carding and PayPal Accounts Are Most Common Products on Dark Web Marketplaces

A six-month investigation of 17 popular Dark Web and Deep Web hacking and cyber-crime marketplaces has revealed which of the illegal products exchanged on these portals today are the most popular.

The study, carried out by Ericsson Marin, Ahmad Diab, and Paulo Shakarian from Arizona State University, involved scraping these 17 websites at different times, in order to create a portfolio of the products sold on them.

Scraped sites included Dark Web marketplaces accessible only via a Dark Web connection, but also Deep Web marketplaces, the ones available on the public Internet, but where search engines are blocked from entering, usually via password-protected accounts.

Carding products are the most popular items

Once the researchers managed to get access and scrape these websites, they gathered all the data and used both manual and automated procedures to classify the details in different categories, per marketplace, and per author.

The result of their work is the image at the end of this article, which shows the most popular products sold on these types of cyber-crime portals.

The final top 10 is made up of carding products, PayPal-related items, cashing credit cards, PGP tools, Netflix-related items, general hacking tools, data dumps, Linux-related products, email hacking tools, and network security tools.

Of course, other categories such as bulletproof VPNs, RATs, botnets, phishing kits, exploit kits, and keyloggers are also included.

Researchers found over 8,000 illegal product offerings

Researchers also say that they’ve observed a high degree of reposting between these marketplaces, even if many have specific policies that prohibit such behavior from their vendors.

Further, the study reveals that most marketplaces are usually specialized on a few product categories, which buyers can find in abundance on their site, with very few all-in-one portals to choose from.

In total, the researchers say they found over 8,000 different illegal products exchanged on these 17 websites.

By Catalin Cimpanu

Source: Softpedia

Auto Industry Develops Security Best Practices

Car manufacturers have released a new best practices document designed to improve vehicle cybersecurity in the industry.

The doc was penned by the 15 car-maker members of the Automotive Information Sharing and Analysis Center (Auto-ISAC) and draws on the expert advice of over 50 automotive cybersecurity experts.

It includes advice in seven key topic areas: governance; risk assessment & management; security by design; threat detection and protection; incident response; awareness & training; and collaboration & engagement with third parties.

Auto-ISAC claimed the advice features deep technical expertise and draws on established frameworks such as ISO and NIST, but tailored for the automobile industry.

“Automakers are committed to being proactive and will not wait for cyber threats to materialize into safety risks,” said Auto-ISAC chairman Tom Stricker in a statement.

“The Best Practices initiative represents this commitment to proactive collaboration that our industry made when we stood up the Auto-ISAC last year. I’m proud of the way we have united in our endeavor to minimize the risks our consumers might face from cyber security and privacy threats.”

Threat levels in the industry are on the rise, with even the FBI being forced to release cyber security advice for car owners recently.

Its tips include ensuring car software is patched and up-to-date, to be cautious when modifying on-board software, and to exercise discretion when connecting third party devices to the vehicle.

According to reports from earlier this month, car thieves in Houston managed to gain access to and drive away Jeep Wranglers and Cherokees by hacking them.

As the industry moves towards driver-less cars the threat becomes even greater.

Experts have already warned the UK government to ensure cyber security risks are taken into account during the current consultation into self-driving technologies.

The US attorney general’s office has even warned that rogue nation states could remotely hack connected vehicles in assassination attempts.



Crime in UK Now Most Likely to be Cyber Crime

There were nearly six million fraud and cyber crimes committed in the UK in the 12 months to March 2016, according to the latest figures from the Office for National Statistics (ONS).

This is the first year that such cyber crimes have been included in the ONS statistics, so it is not possible to consider overall trends nevertheless, it suggests that approximately half of all UK crime is now cyber-related.

“This is the first time we have published official estimates of fraud and computer misuse from our victimization survey,” said ONS statistician John Flatley. “Together, these offenses are similar in magnitude to the existing headline figures covering all other Crime Survey offenses. However, it would be wrong to conclude that actual crime levels have doubled, since the survey previously did not cover these offenses. These improvements to the Crime Survey will help to measure the scale of the threat from these crimes, and help shape the response.”

One area that can be measured over time is plastic card fraud, which has been monitored since 2006. This increased until peaking in 2008-2010, and then declined following the introduction of the EMV chip and pin card. Current findings indicate that 4.7% of plastic card owners were victims of card fraud in the year ending March 2016.

The ONS figures suggest that there were 2 million computer misuse incidents; more than two-thirds of which were virus related, with the remainder involving unauthorized access to personal information (including hacking). 51% of fraud incidents are now cyber-related.

Kaspersky Lab’s principal security researcher David Emm is not surprised by the figures. Criminals follow the money. “With so much financial activity moving online, criminals have capitalized on this by moving their activity into the cyber world,” Emm said.

“It’s clear that crime is becoming cyber enabled as our world becomes digital. Greater transparency around the scale of this problem is vital, helping set the national priorities for law enforcement resources, and underlining the need for industry and government to work together to combat this growing menace,” said Paul Taylor, head of cyber security at KPMG.

The extent of this criminal move into online crime means that people are now six times more likely to be a victim of plastic card fraud than a victim of theft from the person, and around 17 times more likely than robbery.

Victims of fraud differ from other crime victims. They come from higher income households than victims of violence. They tend to be in managerial and professional occupations rather than manual occupations, students or long-term unemployed. There is also some indication that those living in rural areas and least deprived areas are more likely to be affected than those in urban and deprived areas. This is not in itself surprising since it is the same groups that are most likely to be involved in online financial transactions.

One important message from the statistics shows that fraud really is not a ‘victimless crime’. There is still a common belief that victims will be reimbursed for any online fraud losses. The ONS shows that this is not necessarily true. “Victims received a full reimbursement in 43% of fraud incidents (1.6 million), typically from their financial provider. In 690,000 cases, the victim received no or only partial reimbursement,” says the ONS. Having said that, in incidents involving bank and credit card fraud, 84% of victims received full reimbursement.

The majority of recorded incidents are caused by viruses. Technology can be used to defend against technology. “It is vital,” warns Kaspersky’s “that people use a reliable Internet security solution on all connected devices, apply security updates as soon as they become available, download software only from trusted sources (such as official app stores and vendors) and be cautious about e-mail and other messages that include attachments and links – even if they appear to come from friends.”

Earlier this month, the UK’s National Crime Agency (NCA) released its Cyber Crime Assessment 2016, which argues that criminal capability is outpacing industry’s ability to defend against attacks, and suggests that “only by working together across law enforcement and the private sector can we successfully reduce the threat to the UK from cyber crime.”

By Kevin Townsend


Iraq Shuts Down Internet in Response to Baghdad Protests

Latest in questionable line of power tactics as Iraqi government turns off internet for nearly four hours. The Iraqi government has shut down internet access in the country in response to mass protests in the capital of Baghdad.

Thousands of demonstrators marched on Tahrir Square in central Baghdad Friday morning, protesting in opposition to alleged corruption within the current government, which in turn, stopped internet access to most areas of the country, except in Kurdistan, because the protest was deemed illegal.

The demonstrators held placards reading “Yes, yes to reform. No, no to sectarianism. No, no to corruption”, according to Al Jazeera news.

Internet access appeared to go down at 3.39 UTC, but was restored at 7.15 UTC.

The outage was spotted by internet performance company Dyn, a company that measures and researches global internet connectivity.

History of outages

Doug Madory, director of internet analysis at Dyn, told TechWeekEurope that the company picked up on the outage this morning.

“There’s a history of outages in Iraq, they seem to do this more and more these days for things as trivial as sixth grade exams,” he said.

“It went down at 3.39 UTC, and then it returned at 7.15 UTC.

“There was just a UN resolution condemning internet outages, and that was slightly in response to previous Iraqi outages.”

That UN resolution came just two weeks ago, when the organisation published a paper called The promotion, protection and enjoyment of human rights on the Internet. The resolution criticizes the practice of shutting down internet access to citizens. While it was passed by consensus, certain countries such as China and Russia attempted to change parts of the resolution by changing the text of the resolution.

Other countries backed China and Russia’s view, such as Saudi Arabia, India, and South Africa.

But the resolution states: “The same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights.”


In Iraq, the government can give the order to block access to the fibre network in the country from ISPs.

“So in Iraq there’s a fibre backbone…and the government maintains the keys to that,” Madory explained.

“That’s typically how they implement these shut downs. They can give orders to the government entity that runs the fibre to just disable the fibre optic connections that most of the country relies on.”

The Iraqi government, headed by Haider al-Abadi, had previously cut off access to the internet in May in an attempt to stop its sixth graders cheating in exams.

Before that, the government shut down internet communications in response to the city of Mosul falling to ISIS in June 2014



Ransomware ‘Stopped’ by New Software

Scientists at the University of Florida (UF) say they have developed software that can stop the growing problem of ransomware in its tracks.

Ransomware encrypts computer files and is used by hackers who then demand money in exchange for freeing the content. It is becoming a huge problem globally. The solution – dubbed CryptoDrop – detected the malware and stopped it after it had encrypted just a handful of files, said its developers.

Patrick Traynor, an associate professor in UF’s department of computer and information science, worked with PhD student Nolen Scaife and Henry Carter, from Villanova University, on the software. “Our system is more of an early-warning system,” Mr Scaife said.

“It doesn’t prevent the ransomware from starting… it prevents the ransomware from completing its task… so you lose only a couple of pictures or a couple of documents rather than everything that’s on your hard drive, and it relieves you of the burden of having to pay the ransom.” In tests, CryptoDrop had spotted 100% of malware samples and stopped it after an average of 10 files had been encrypted, researchers said.

In May, the FBI issued a warning saying that the number of ransomware attacks had doubled in the past year and was expected to grow even more rapidly this year. It said that it had received more than 2,400 complaints last year and estimated losses from such attacks at $24m (£18m) for individuals and businesses.

Governments, large companies, banks, hospitals and educational institutions are all among the victims of such attacks. Richard Cassidy, an expert at security firm Alert Logic said of CryptoDrop: “Whilst the step taken by researchers at the University of Florida are indeed a novel way in which to detect and contain ransomware, it doesn’t serve as the ‘silver bullet’ for ransomware as a whole.”

“There are new variants being written all the time and ransomware writers will indeed take the time to dissect and understand how this new technology operates, creating versions that will attempt to either bypass detection, or at the very least search more effectively for likely sensitive files, before encrypting them, with the hope of having the biggest impact of securing a ransom payment.”

The team at UF currently has a prototype that works with Windows-based systems. It is seeking a commercial partner for the software, having recently presented its paper on the technology at a conference in Japan.


Android 7.0 Nougat Will Block Screen Lock Ransomware


Google will include a new defensive measure in the upcoming Android 7.0, or Nougat, operating system that will block ransomware designed to lock the device’s display.

Nougat will be able to defeat malware such as Android.Lockdroid.E that scares a victim into downloading the malware using a fake interface. Once on the device the malware resets the lockscreen password by invoking the device’s “resetpassword” API, wrote Symantec researcher Dinesh Venkatesan. Nougat will contain a “condition” that will only allow the API to set, and not reset, the password.

“This development will be effective in ensuring that malware cannot reset the lockscreen password, as the change is strictly enforced and there is no backward compatibility escape route for the threat. Backward compatibility would have allowed malware to reset the lockscreen password even on newer Android versions,” Venkatesan wrote.

Nougat is currently being Beta tested and is expected to become available later this year.