Risky Bulletin: Supply Chain Attack Plants Backdoor on Android Tablets

Podcast: Risky Bulletin (Risky Biz)
Host/Reader: Claire Aird
Date: February 18, 2026

Episode Overview

This episode delivers a brisk, authoritative roundup of recent high-impact cybersecurity news, including a supply chain attack on Android tablets, EU regulatory moves on AI, updates on major ransomware incidents, and insight into global APT (Advanced Persistent Threat) activities. It focuses on how threat actors are targeting both individuals and institutions worldwide through increasingly sophisticated vectors, as well as recent policy shifts designed to shore up digital privacy and security.

Key Discussion Points & Insights

1. Supply Chain Backdoor on Android Tablets

• Details:
  • Several Android tablet brands have shipped devices with backdoors embedded in firmware—a result of a supply chain attack.
  • The Qiandu backdoor has been utilized since at least August 2023 for click fraud, hijacking browser settings, and deploying pay-per-install app schemes.
  • At least 13,000 users are confirmed victims.
• Quote (00:11):

  "Threat actors use the Qiandu backdoor to perform click fraud, hijack browser search settings, or deploy unwanted apps in pay per install schemes."

• Type of Threat:
  • Hidden, persistent, and monetized via fraudulent activity.

2. EU Bans AI Features on Lawmakers' Devices

• Policy Move:
  • European Parliament disables AI features on work devices for MPs and staff due to privacy concerns.
  • AI tools reportedly transmit data to non-EU cloud servers.
• Supporting Details (01:04):
  • European data authorities support strengthening digital regulation and simplifying tech laws.
  • Debate ongoing over GDPR and its scope concerning anonymised data and user consent fatigue.
• Quote (01:22):

  "The authorities support the digital regulatory framework but warned against weakening the GDPR."

3. Leadership Update: CISA

• Personnel Change:
  • Jermaine Roebuck, head of CISA's threat hunting, leaving for the private sector. Resignation was voluntary.

4. FSB Gains Expanded Surveillance Powers

• Legal Update (01:47):
  • Russia grants FSB authority to cut internet and mobile networks without needing a national security pretext.
• Motivation:
  • Initially an antidrone measure, but expanded to broader powers.

5. Cellebrite Used Against Kenyan Politician

• Incident Details (02:07):
  • Activist Boniface Mwangi’s phone was exploited using Cellebrite’s forensic tools during his July 2025 arrest.
  • Citizen Lab confirmed traces of the software.
  • Mwangi is a potential 2027 presidential candidate.
• Quote (02:16):

  "Researchers at Citizen Lab found traces of Cellebrite's software on Mwangi's Samsung phone."

6. Major Data Leaks

• Abu Dhabi Finance Week (02:28):
  • Passport and ID for 700+ high-profile attendees leaked due to misconfigured cloud storage, now secured.
• Notable Victims:
  • Politicians, financiers, including David Cameron, Alan Howard, Anthony Scaramucci.

7. Recent Ransomware Attacks

• South Africa's Land and Agricultural Development Bank (02:48):
  • $3 million ransom demand after IT systems taken offline.
• Tulsa International Airport (02:57):
  • Ransomware exposed employee SSNs and banking information; recovery in 3 days.

8. Ransomware Arrest in Poland

• Details:
  • Man arrested with ties to Phobos ransomware, found with stolen credentials (03:06).
  • Part of Europol’s wider Operation Ether.

9. WhatsApp Attacks in Armenia

• Details (03:19):
  • Nearly 4000 accounts hacked to create spam business profiles, exploiting weaknesses in SMS two-factor authentication.
• Quote:

  "Attackers have exploited weaknesses in WhatsApp's SMS two factor authentication."

10. IoT Botnet Disruption

• Incident (03:39):
  • Kimwolf botnet overwhelmed the i2P anonymity network by using it for C2 (command and control), disrupting legitimate user access.

11. Google Chrome Zero-Day Patched

• Details (03:52):
  • Chrome patched a memory corruption zero-day, actively exploited for remote code execution.

12. Chinese APT Exploits Zero-Day in Dell RecoverPoint

• Threat Group:
  • UNC6201 exploits hardcoded admin credentials for total appliance compromise (04:05).

13. Targeted Attacks on Iranian Protesters

• Windows Backdoor:
  • Crescent Harvest deployed against protest attendees both inside Iran and abroad (04:23).
• Broader Repression:
  • Iranian groups also using telecom data for protester identification.

14. Iranian Cyber Groups Attacking Israeli Critical Infrastructure

• Groups Involved:
  • Bauxite and Pyroxene (Cyber Avengers/APT35) used data wiping malware against critical sectors during last year's conflict.

15. Vulnerabilities in Cloud Password Managers

• Findings:
  • 27 vulnerabilities in four major services: Bitwarden, LastPass, Dashlane, and 1Password.
  • Issues included data leakage and encryption downgrades if a server was compromised.
• Quote (05:08):

  "The research considered a scenario where a malicious party had taken control of the cloud server and was launching attacks against users and the app's encryption."

16. Apple & Samsung Enhance Consumer Security

• Apple:
  • Stolen Device Protection will be enabled by default in iOS 26.4; Face ID/Touch ID required for sensitive changes, plus a one-hour delay.
• Samsung:
  • New privacy display tech narrows viewing angles in S26 models to prevent shoulder surfing.

17. Notepad Secure Update Improvements

• Background:
  • Following a Chinese APT's attack on its update channels, Notepad now authenticates update data and installers to block tampering.

Notable Quotes & Moments

• On supply chain attacks:
  "Threat actors use the Qiandu backdoor to perform click fraud, hijack browser search settings, or deploy unwanted apps in pay per install schemes." (Claire Aird, 00:11)

• On EU AI regulation:
  "The authorities support the digital regulatory framework but warned against weakening the GDPR." (Claire Aird, 01:22)

• On Cellebrite use in Kenya:
  "Researchers at Citizen Lab found traces of Cellebrite's software on Mwangi's Samsung phone." (Claire Aird, 02:16)

• On WhatsApp exploitation:
  "Attackers have exploited weaknesses in WhatsApp's SMS two factor authentication." (Claire Aird, 03:26)

Timestamps for Major Segments

• 00:04–00:55 – Android tablet supply chain backdoor
• 01:00–01:45 – EU disables AI, new data regulation debate
• 01:47–02:05 – CISA leadership change, FSB new powers
• 02:07–02:27 – Cellebrite in Kenya, ABU Dhabi attendee data leak
• 02:48–03:03 – South Africa/US ransomware incidents
• 03:06–03:18 – Polish ransomware arrest, Operation Ether
• 03:19–03:37 – WhatsApp hacks in Armenia
• 03:39–03:50 – i2P network disruption by Kimwolf botnet
• 03:52–04:23 – Chrome/Dell vulnerabilities, Iranian protester targeting
• 04:33–05:11 – Iran/Israel cyber conflict, password manager vulnerabilities
• 05:12–05:53 – Apple/Samsung privacy upgrades, Notepad update hardening

Tone & Style

The episode maintains a concise, matter-of-fact yet urgent tone, providing actionable intelligence for IT, policy, and security professionals. Technical jargon is employed where necessary but context is given for broader understanding.

This summary captures the episode’s dense reporting, delivering actionable snapshots of the most pressing cybersecurity headlines for February 18, 2026.