Kaspersky has identified a new malware targeting Android devices called Keenadu. The malware spreads through multiple vectors: preinstalled in device firmware, embedded within system apps, or downloaded from official app stores such as Google Play. Currently, Keenadu is primarily used for ad fraud, turning infected devices into click-bots, but some variants allow attackers full control over victims’ devices.
As of February 2026, Kaspersky mobile security solutions detected over 13,000 devices infected with Keenadu, with the highest numbers of affected users in Russia, Japan, Germany, Brazil, the Netherlands, and Turkiye, with additional cases reported in other countries.
Integrated into Device Firmware
Similar to the Triada backdoor discovered in 2025, certain versions of Keenadu are embedded in the firmware of multiple Android tablet models during supply chain stages. In this variant, Keenadu functions as a full-featured backdoor, allowing attackers to:
-
Infect all installed apps on the device
-
Install APK apps with full permissions
-
Access media, messages, banking credentials, location, and more
-
Monitor user searches in Chrome’s incognito mode
Firmware-integrated Keenadu behaves differently depending on device settings. It does not activate if the device language is set to certain Chinese dialects or the time zone is set to China. It also does not run if Google Play Store and Google Play Services are absent.
Embedded in System Apps
In this version, Keenadu’s functionality is more limited but still exploits the elevated privileges of system apps. It can install side apps without the user’s knowledge. Kaspersky discovered Keenadu embedded in apps responsible for facial unlock, potentially exposing users’ face data, and sometimes in the home screen launcher app controlling the device interface.
Embedded in Apps Distributed via App Stores
Kaspersky researchers also found Keenadu in apps on Google Play, particularly smart home camera apps downloaded over 300,000 times. When launched, attackers can open hidden browser tabs within the apps, allowing them to access websites without the user knowing. These apps have been removed from the store at the time of reporting. Similar infected apps were previously observed distributed as standalone APKs or through alternative app stores.
Kaspersky Expert Warning
Security researcher Dmitry Kalinin commented: “Preinstalled malware is a serious threat on Android devices. A device can be compromised straight out of the box without any user action. Users must be aware of this risk and use reliable security solutions. Vendors likely did not detect the supply chain compromise that allowed Keenadu to infiltrate devices, as it disguised itself as a legitimate system component. Every stage of production should be checked to prevent malware from entering device firmware.”
Security Recommendations
-
Use trusted mobile security solutions to detect threats like Keenadu promptly.
-
If your device firmware is infected, check for updates and scan the device after updating.
-
If a system app is infected, stop using and disable it. If a launcher app is affected, disable the default launcher and switch to a third-party launcher.
