Global cybersecurity firm Kaspersky has uncovered a new Android malware strain, dubbed Keenadu, that is being distributed through multiple channels — including preinstallation in device firmware, embedding within system applications, and even via apps previously available on Google Play.
In a statement released on Tuesday, the company said that as of February 2026, its mobile security solutions had detected more than 13,000 infected devices worldwide.
Currently, Keenadu is primarily being used for advertising fraud, turning compromised smartphones and tablets into bots that generate fraudulent ad clicks. However, researchers warned that certain variants of the malware are significantly more dangerous, allowing attackers full control over affected devices.
Supply Chain Compromise
Kaspersky said some versions of Keenadu resemble the Triada backdoor identified in 2025, with the malware integrated directly into the firmware of several Android tablet models during supply chain stages.
In its most advanced form, Keenadu acts as a fully functional backdoor capable of infecting every app installed on a device. It can silently install applications from APK files, assign permissions without user consent, and potentially compromise sensitive data — including media files, messages, banking credentials, and location information. The malware can even monitor search queries entered into the Chrome browser’s incognito mode.
Notably, the firmware-level variant remains inactive if the device language is set to Chinese dialects and the time zone corresponds to China. It also fails to launch on devices without Google Play Store and Google Play Services installed — suggesting targeted deployment.
System Apps and Biometric Risks
In other cases, Keenadu has been embedded within system applications, granting it elevated privileges. While these versions cannot infect every app, they can still install additional malicious software without user awareness.
Researchers discovered instances where Keenadu was hidden inside a system application responsible for facial recognition unlocking, raising concerns that attackers could potentially access users’ biometric data. In some cases, the malware was also found embedded within home screen launcher applications.
Additionally, several smart home camera apps available on Google Play — downloaded more than 300,000 times — were found infected with Keenadu before being removed from the platform.
Industry Warning
“As our recent research showed, preinstalled malware is a pressing issue on multiple Android devices. Without any action on the user’s side, a device can be infected right out of the box,” said Dmitry Kalinin, a security researcher at Kaspersky.
He added that vendors may have been unaware of the supply chain compromise, as the malware closely imitated legitimate system components. “It is important to check every stage of the production process to ensure that device firmware is not infected,” he said.
Safety Recommendations
Kaspersky advised users to install reliable mobile security solutions to detect threats promptly. If a system app is found infected, users should stop using and disable it. In cases where a launcher app is compromised, switching to a trusted third-party launcher is recommended.
The discovery underscores growing concerns over supply chain vulnerabilities in the Android ecosystem and the increasing sophistication of mobile malware targeting everyday users.
