Risky Bulletin: Supply chain attack plants backdoor on Android tablets

Wed Feb 18 2026

Summary

Risky Bulletin: Supply Chain Attack Plants Backdoor on Android Tablets

Podcast: Risky Bulletin (Risky Biz)
Host/Reader: Claire Aird
Date: February 18, 2026

Episode Overview

This episode delivers a brisk, authoritative roundup of recent high-impact cybersecurity news, including a supply chain attack on Android tablets, EU regulatory moves on AI, updates on major ransomware incidents, and insight into global APT (Advanced Persistent Threat) activities. It focuses on how threat actors are targeting both individuals and institutions worldwide through increasingly sophisticated vectors, as well as recent policy shifts designed to shore up digital privacy and security.

Key Discussion Points & Insights

1. Supply Chain Backdoor on Android Tablets

Details:
- Several Android tablet brands have shipped devices with backdoors embedded in firmware—a result of a supply chain attack.
- The Qiandu backdoor has been utilized since at least August 2023 for click fraud, hijacking browser settings, and deploying pay-per-install app schemes.
- At least 13,000 users are confirmed victims.
Quote (00:11):

"Threat actors use the Qiandu backdoor to perform click fraud, hijack browser search settings, or deploy unwanted apps in pay per install schemes."
Type of Threat:
- Hidden, persistent, and monetized via fraudulent activity.

2. EU Bans AI Features on Lawmakers' Devices

Policy Move:
- European Parliament disables AI features on work devices for MPs and staff due to privacy concerns.
- AI tools reportedly transmit data to non-EU cloud servers.
Supporting Details (01:04):
- European data authorities support strengthening digital regulation and simplifying tech laws.
- Debate ongoing over GDPR and its scope concerning anonymised data and user consent fatigue.
Quote (01:22):

"The authorities support the digital regulatory framework but warned against weakening the GDPR."

3. Leadership Update: CISA

Personnel Change:
- Jermaine Roebuck, head of CISA's threat hunting, leaving for the private sector. Resignation was voluntary.

4. FSB Gains Expanded Surveillance Powers

Legal Update (01:47):
- Russia grants FSB authority to cut internet and mobile networks without needing a national security pretext.
Motivation:
- Initially an antidrone measure, but expanded to broader powers.

5. Cellebrite Used Against Kenyan Politician

Incident Details (02:07):
- Activist Boniface Mwangi’s phone was exploited using Cellebrite’s forensic tools during his July 2025 arrest.
- Citizen Lab confirmed traces of the software.
- Mwangi is a potential 2027 presidential candidate.
Quote (02:16):

"Researchers at Citizen Lab found traces of Cellebrite's software on Mwangi's Samsung phone."

6. Major Data Leaks

Abu Dhabi Finance Week (02:28):
- Passport and ID for 700+ high-profile attendees leaked due to misconfigured cloud storage, now secured.
Notable Victims:
- Politicians, financiers, including David Cameron, Alan Howard, Anthony Scaramucci.

7. Recent Ransomware Attacks

South Africa's Land and Agricultural Development Bank (02:48):
- $3 million ransom demand after IT systems taken offline.
Tulsa International Airport (02:57):
- Ransomware exposed employee SSNs and banking information; recovery in 3 days.

8. Ransomware Arrest in Poland

Details:
- Man arrested with ties to Phobos ransomware, found with stolen credentials (03:06).
- Part of Europol’s wider Operation Ether.

9. WhatsApp Attacks in Armenia

Details (03:19):
- Nearly 4000 accounts hacked to create spam business profiles, exploiting weaknesses in SMS two-factor authentication.
Quote:

"Attackers have exploited weaknesses in WhatsApp's SMS two factor authentication."

10. IoT Botnet Disruption

Incident (03:39):
- Kimwolf botnet overwhelmed the i2P anonymity network by using it for C2 (command and control), disrupting legitimate user access.

11. Google Chrome Zero-Day Patched

Details (03:52):
- Chrome patched a memory corruption zero-day, actively exploited for remote code execution.

12. Chinese APT Exploits Zero-Day in Dell RecoverPoint

Threat Group:
- UNC6201 exploits hardcoded admin credentials for total appliance compromise (04:05).

13. Targeted Attacks on Iranian Protesters

Windows Backdoor:
- Crescent Harvest deployed against protest attendees both inside Iran and abroad (04:23).
Broader Repression:
- Iranian groups also using telecom data for protester identification.

14. Iranian Cyber Groups Attacking Israeli Critical Infrastructure

Groups Involved:
- Bauxite and Pyroxene (Cyber Avengers/APT35) used data wiping malware against critical sectors during last year's conflict.

15. Vulnerabilities in Cloud Password Managers

Findings:
- 27 vulnerabilities in four major services: Bitwarden, LastPass, Dashlane, and 1Password.
- Issues included data leakage and encryption downgrades if a server was compromised.
Quote (05:08):

"The research considered a scenario where a malicious party had taken control of the cloud server and was launching attacks against users and the app's encryption."

16. Apple & Samsung Enhance Consumer Security

Apple:
- Stolen Device Protection will be enabled by default in iOS 26.4; Face ID/Touch ID required for sensitive changes, plus a one-hour delay.
Samsung:
- New privacy display tech narrows viewing angles in S26 models to prevent shoulder surfing.

17. Notepad Secure Update Improvements

Background:
- Following a Chinese APT's attack on its update channels, Notepad now authenticates update data and installers to block tampering.

Notable Quotes & Moments

On supply chain attacks:
"Threat actors use the Qiandu backdoor to perform click fraud, hijack browser search settings, or deploy unwanted apps in pay per install schemes." (Claire Aird, 00:11)
On EU AI regulation:
"The authorities support the digital regulatory framework but warned against weakening the GDPR." (Claire Aird, 01:22)
On Cellebrite use in Kenya:
"Researchers at Citizen Lab found traces of Cellebrite's software on Mwangi's Samsung phone." (Claire Aird, 02:16)
On WhatsApp exploitation:
"Attackers have exploited weaknesses in WhatsApp's SMS two factor authentication." (Claire Aird, 03:26)

Timestamps for Major Segments

00:04–00:55 – Android tablet supply chain backdoor
01:00–01:45 – EU disables AI, new data regulation debate
01:47–02:05 – CISA leadership change, FSB new powers
02:07–02:27 – Cellebrite in Kenya, ABU Dhabi attendee data leak
02:48–03:03 – South Africa/US ransomware incidents
03:06–03:18 – Polish ransomware arrest, Operation Ether
03:19–03:37 – WhatsApp hacks in Armenia
03:39–03:50 – i2P network disruption by Kimwolf botnet
03:52–04:23 – Chrome/Dell vulnerabilities, Iranian protester targeting
04:33–05:11 – Iran/Israel cyber conflict, password manager vulnerabilities
05:12–05:53 – Apple/Samsung privacy upgrades, Notepad update hardening

Tone & Style

The episode maintains a concise, matter-of-fact yet urgent tone, providing actionable intelligence for IT, policy, and security professionals. Technical jargon is employed where necessary but context is given for broader understanding.

This summary captures the episode’s dense reporting, delivering actionable snapshots of the most pressing cybersecurity headlines for February 18, 2026.

Loading summary...

Transcript

A (0:04)

A supply chain attack plants backdoors on Android tablets the EU blocks AI from lawmakers devices cellebrite was used against a Kenyan politician and a Chinese APT is exploiting a del0day. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 18th of February and and this podcast episode is brought to you by Run Zero, the Total Attack surface and exposure management platform. In today's top story, a supply chain attack has planted backdoors in the firmware of several Android tablet makers. Threat actors use the Qiandu backdoor to perform click fraud, hijack browser search settings, or deploy unwanted apps in pay per install schemes. The backdoor has been spotted as far back as August 2023. At least 13,000 users have been infected. In other news, Europe has disabled AI features on work devices used by parliamentarians and their staff. Members of Parliament were notified of the change. In an email on Monday, the Parliament IT department cited cybersecurity and data safety concerns. They said AI tools sent data to cloud servers outside Europe's control. The EU's data protection authorities will support the commission's effort to simplify the bloc's tech rules. The authorities support the digital regulatory framework but warned against weakening the GDPR. The EU's digital omnibus regulation is set to narrow the definition of personal data and remove anonymised information from the personal data category. The European Data Protection Board and the European Data Protection Supervisor also support incorporating user consent inside browser settings to reduce consent fatigue. The head of CISA's threat hunting unit is leaving the agency. Jermaine Roebuck announced his departure in an internal meeting last week. Roebuck is leaving volunteers voluntarily to take a job in the private sector. Russia's FSB intelligence service has been granted the power to cut mobile and Internet connections even if there's no threat to national security. The Juma passed the law after its third reading, when the national security requirement was removed. The law was proposed in November to counter Ukrainian drone attacks. Kenyan authorities used Cellebrite's phone cracking software against the device of an activist and political opponent. Boniface Mwangi says his phone was exploited when he was arrested in July last year. Researchers at Citizen Lab found traces of Cellebrite's software on Mwangi's Samsung phone. Mwangi plans to run for president in Kenya's 2027 elections. Passport and ID scans of more than 700 attendees at ABU Dhabi Finance Week have been leaked. The leak is believed to have exposed personal details of billionaires and political figures Conference attendees included former British Prime Minister David Cameron, hedge billionaire Alan Howard and former White House communications director Anthony Scaramucci. The exposed cloud server has now been secured A ransomware attack has hit the Land and Agricultural Development bank of South Africa. The incident took place last month. The bank shut down some IT systems and issued new laptops to employees. The attackers allegedly asked for $3 million in ransom. No group has taken credit for the attack. Tulsa International Airport has fallen victim to a ransomware attack. The airport recovered three days after the Jan. 17 incident. Airport Authority says employees personal data was exposed, including Social Security numbers and banking data. Polish authorities have arrested a 47 year old man for using the Phobos ransomware. At the time of his arrest, the suspect was in possession of hacked credentials and was in communication with the Fobos ransomware group. His arrest is part of Europol's Operation Ether, which is targeting the Phobos group and its affiliates. Almost 4000 WhatsApp accounts have been hacked in Armenia. Attackers use the hacked accounts to register WhatsApp business profiles and send spam. CyberHub AM, a non profit that works as a cert for Armenian civil society, claims attackers have exploited weaknesses in WhatsApp's SMS two factor authentication. The Kimwolf IoT botnet has accidentally swamped the i2P anonymity network. The disruption started two weeks ago and are preventing legitimate users from connecting to i2p resources. The issues began after Kim Woof started using i2p to host some of its command and control servers. The extra connections from millions of hacked routers and set top boxes flooded the network. Google has patched a Chrome zero day being exploited in the wild. The zero day is a memory corruption issue in how Chrome Chrome processors font names. The vulnerability can be used to run malicious code inside the Chrome sandbox. A suspected Chinese apt is exploiting a zero day indel recover point for virtual machines. Google has linked the attacks to a group it tracks as UNC6201. The zero day is a set of hard coded admin credentials for the app's integrated Tomcat server. Google says the group uses the credentials to upload a malicious WAH file to run commands as root on the appliance. Iranians are being targeted with a new Windows backdoor named Crescent Harvest. The campaign began shortly after this year's anti government protests in the country. It targets individuals who attend protests in Iran as well as the West. Security firm Acronis has not attributed the attacks, but says this is likely the work of an Iranian aligned group. According to multiple reports. The Iranian government is also using mobile telephony data to track down protest attendees. At least two Iranian cyber groups deployed data wiping malware against Israeli critical sector organisations during last year's conflict. Security firm Dragos didn't specify if the attacks were successful. The company tracks the group as Bauxite and Pyroxene, but they're more broadly known as Cyber Avengers and APT35. Pyroxene is one of three new groups Dragos has spotted targeting industrial control systems. Academics have found 27 vulnerabilities in four cloud based password managers. The worst bugs allowed the attackers to leak metadata, downgrade encryption or grant access to stored credentials. The research considered a scenario where a malicious party had taken control of the cloud server and was launching attacks against users and the app's encryption. Bitwarden, LastPass, Dashlane and 1Password have all addressed the researchers findings. Apple will enable its stolen device protection feature by default. Users will be required to authenticate using Face ID or Touch ID before making changes to sensitive device settings. Setting changes will also have a one hour delay. Apple added the feature in 2023. It will be enabled for all users in the upcoming iOS version 26.4. Samsung has developed a feature that reduces the viewing angle of phone displays. The privacy display uses a new type of OLED panel that prevent people nearby from reading screens from an angle. The new feature will be available in the company's upcoming S26 models. And finally, the Notepad text editor has improved its update system. The app now verifies the update information received from Notepad servers and the installer itself. The changes come after a Chinese APT hijacked the app's update servers last year and launched targeted attacks. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Run Zero. Find them@runzero.com thanks for your company.