Security firm Kaspersky says it has identified Kaspersky Uncovers Keenadu Malware Hidden in Brand-New Android Devices, a threat that can appear in device firmware, system applications, or apps distributed through Google Play. The finding matters because some users may receive infected devices or apps without taking any action.
What is it?
Keenadu is malware designed to turn infected phones or tablets into bots that generate fraudulent ad clicks. Some variants function as a backdoor, a type of malicious software that allows remote control of a device.
According to the company, more than 13,000 devices had been detected with Keenadu by February 2026. The malware can be delivered in three main ways:
- Preinstalled in firmware: integrated into the device software during the production or supply chain stage.
- Embedded in system apps: hidden inside applications with elevated privileges, such as facial recognition or home screen software.
- Distributed via apps: included in certain third-party applications, including smart home camera apps that were downloaded over 300,000 times before removal.
Why does it matter?
Firmware-level infections can operate with extensive permissions. In such cases, Keenadu may install additional apps, access stored data, and monitor device activity. Reported capabilities include access to media files, messages, location data, and credentials used in apps. Some variants also track search queries entered in private browsing modes.
When embedded in system applications, the malware’s reach is more limited but can still install additional software without user awareness.
Who is affected?
Users of certain Android tablets and phones may be affected if their device firmware or preinstalled apps were compromised during production. Individuals who installed affected smart home camera apps before they were removed from the app store may also be at risk.
What has changed?
Researchers report that Keenadu may remain inactive under specific conditions, such as when a device uses certain Chinese language settings and time zones, or when required Google services are not present. This behavior can affect detection and activation.
What happens next?
The company advises users to run mobile security software capable of detecting system-level threats. If a system app is identified as infected, users are advised to disable it. If a launcher (home screen) app is affected, switching to an alternative launcher is recommended.
