{
	"id": "407aa20f-e339-469f-ad66-9e8378b9390f",
	"created_at": "2026-05-14T02:02:30.38151Z",
	"updated_at": "2026-05-14T02:03:50.155906Z",
	"deleted_at": null,
	"sha1_hash": "1a5eab1929d290874b10a682ac8ffa9f120df038",
	"title": "Kaspersky discovers Keenadu – a multifaceted Android malware that can come preinstalled on new devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 330360,
	"plain_text": "Kaspersky discovers Keenadu – a multifaceted Android malware\r\nthat can come preinstalled on new devices\r\nBy Kaspersky\r\nPublished: 2026-02-17 · Archived: 2026-05-14 02:02:07 UTC\r\nKaspersky has detected a new malware for Android devices that it dubbed Keenadu. This malware is\r\ndistributed in multiple forms – it can be preinstalled directly into devices’ firmware, embedded within\r\nsystem apps, or even downloaded from official app stores such as Google Play. Currently Keenadu is used\r\nfor ad fraud, with attackers using infected devices as bots to deliver link clicks on ads, but it can also be\r\nused for malicious purposes, with some variants even allowing full control of the victim’s device.\r\nAs of February 2026, Kaspersky mobile security solutions detected over 13,000 devices infected with Keenadu.\r\nThe highest numbers of the attacked users have been observed in Russia, Japan, Germany, Brazil, and the\r\nNetherlands, but other countries have been affected as well.\r\nKeenadu distribution vectors\r\nIntegrated into device firmware\r\nSimilar to the Triada backdoor that Kaspersky detected in 2025, some versions of Keenadu are integrated into the\r\nfirmware of several models of Android tablets at one of the supply chain stages. In this variant, Keenadu is a fully\r\nfunctional backdoor that provides the attackers with unlimited control over the victim’s device. It can infect every\r\napp installed on the device, install any apps from APK files and give them any available permissions. As a result,\r\nall information on the device, including media, messages, banking credentials, location, etc. can be compromised.\r\nThe malware even monitors search queries that the user inputs into the Chrome browser in incognito mode.\r\nhttps://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices\r\nPage 1 of 3\n\nWhen integrated into the firmware, the malware behaves differently depending on several factors. It will not\r\nactivate if the language set on the device is one of Chinese dialects, and the time is set to one of Chinese time\r\nzones. It will also not launch if the device doesn’t have Google Play Store and Google Play Services installed.\r\nEmbedded within system apps\r\nIn this variant, the functionality of Keenadu is limited – it cannot infect every app on the device, but since it exists\r\nwithin a system app (which has elevated privileges compared to usual apps), it can still install any side apps that\r\nthe attackers choose without the user knowing. What’s more, Kaspersky discovered Keenadu embedded within a\r\nsystem application responsible for unlocking the device with the user’s face. The attackers could potentially\r\nacquire victim’s face data. In some cases, Keenadu was embedded within the home screen app which is\r\nresponsible for the home screen interface.\r\nEmbedded within apps distributed through Android app stores\r\nKaspersky experts also discovered that several apps distributed on Google Play are infected with Keenadu. These\r\nare apps for smart home cameras, and they’ve been downloaded over 300,000 times. As of the time of publication,\r\nthese apps have been removed from Google Play. When the apps are launched, attackers may launch invisible web\r\nbrowser tabs within the apps that can be used to browse through different websites without the user knowing.\r\nPrevious research from other cybersecurity researchers also showed similar infected apps being distributed via\r\nstandalone APK files or through other app stores.\r\nInfected apps on Google Play\r\n“As our recent research showed, preinstalled malware is a pressing issue on multiple Android devices. Without\r\nany actions on the user side, a device can be infected right out of the box. It is important for users to understand\r\nthis risk and use security solutions that can detect this type of malware. Vendors likely didn’t know about the\r\nsupply chain compromise that resulted in Keenadu infiltrating devices, as the malware was imitating legitimate\r\nsystem components. It is important to check every stage of the production process to ensure that device firmware\r\nis not infected,” comments Dmitry Kalinin, security researcher at Kaspersky.\r\nSee the post on Securelist for more information. \r\nRecommendations:\r\nUse a reliable security solution to be promptly notified of similar threats on your device.\r\nIf you are using a device with infected firmware, check for firmware updates. After the update, run a scan\r\nof the device with a security solution.\r\nhttps://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices\r\nPage 2 of 3\n\nIf a system app is infected, we recommend that users stop using it and then disable it. If a launcher app is\r\ninfected, we recommend disabling the default launcher and using third-party launchers.\r\nAbout Kaspersky Threat Research\r\nThe Threat Research team is a leading authority in protecting against cyberthreats. By actively engaging in both\r\nthreat analysis and technology creation, our TR experts ensure that Kaspersky’s cybersecurity solutions are deeply\r\ninformed and exceptionally potent, providing critical threat intelligence and robust security to our clients and the\r\nbroader community.\r\nSource: https://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinst\r\nalled-on-new-devices\r\nhttps://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices"
	],
	"report_names": [
		"kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices"
	],
	"threat_actors": [],
	"ts_created_at": 1778724150,
	"ts_updated_at": 1778724230,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a5eab1929d290874b10a682ac8ffa9f120df038.pdf",
		"text": "https://archive.orkl.eu/1a5eab1929d290874b10a682ac8ffa9f120df038.txt",
		"img": "https://archive.orkl.eu/1a5eab1929d290874b10a682ac8ffa9f120df038.jpg"
	}
}