Table of Contents
- Is Your Android Tablet Hiding Pre-Installed Malware You Never Agreed To?
- Is Your Android Tablet Hiding Pre-Installed Malware You Never Agreed To?
- What Keenadu Is and Why It Matters
- How the Infection Works
- The Scale of the Problem
- Which Devices Are at Risk
- What You Should Do Right Now
- The Broader Security Lesson
Is Your Android Tablet Hiding Pre-Installed Malware You Never Agreed To?
Is Your Android Tablet Hiding Pre-Installed Malware You Never Agreed To?
Kaspersky’s February 17, 2026 report confirmed what many security professionals had long suspected: a new Android backdoor named Keenadu was embedded directly inside device firmware — not downloaded later, but present from the moment the device left the factory.
What Keenadu Is and Why It Matters
Keenadu is a backdoor implanted inside libandroid_runtime.so, a core Android runtime library that every app on the device depends on. Because it lives at the firmware level rather than in a standalone app, standard antivirus scans often miss it entirely.
This matters for you as a device owner because the infection happens before you power the device on for the first time. You take no wrong action. You install nothing malicious. The risk arrives with the product itself.
How the Infection Works
The malware executes a precise sequence once a device boots:
- Firmware build phase — A malicious static library is linked directly into libandroid_runtime.so during manufacturing or firmware compilation
- Zygote injection — On launch, Keenadu injects a copy of itself into the Zygote process, which is the parent process of every Android app; this means every app you open carries the backdoor in its memory space
- OTA delivery — In several confirmed cases, the compromised firmware was pushed to devices through an over-the-air (OTA) update, meaning even originally clean devices became infected later
- Payload execution — The multi-stage loader then contacts remote operators, who can hijack your browser’s search engine, silently interact with ads, and monetize new app installations without your knowledge
In certain firmware versions, Keenadu was found embedded inside core system utilities — including the facial recognition service and the launcher app — making removal nearly impossible without flashing a clean firmware image.
The Scale of the Problem
Kaspersky’s telemetry identified 13,715 confirmed infections worldwide, with the highest concentrations in Russia, Japan, Germany, Brazil, and the Netherlands. Germany’s presence on this list is not surprising. Back in December 2024, Germany’s Federal Office for Information Security (BSI) had already flagged 30,000 Android devices — digital picture frames, media players, and tablets — carrying preinstalled BadBox malware embedded in firmware.
Keenadu connects several of the most active Android botnets into a single web: Triada, BADBOX, Vo1d, and now Keenadu itself. This linkage tells security researchers that the actors behind these campaigns share infrastructure and possibly the same source code supply chain.
Which Devices Are at Risk
Kaspersky confirmed the malware in tablets from multiple manufacturers. Chinese tablet maker Alldocube publicly acknowledged malware in one of its models — but Kaspersky’s investigation found the company had continued distributing the infected firmware in subsequent updates for the same device.
The pattern strongly suggests that low-cost, no-name Android tablets imported from China represent the highest risk category. Google has removed at least three apps carrying Keenadu’s malicious payload from the Google Play Store, though Kaspersky has not publicly named either the manufacturers or the specific apps.
What You Should Do Right Now
If you own a budget Android tablet — especially one purchased through a third-party online marketplace rather than an authorized retailer — treat these steps as non-negotiable:
- Check for Play Protect certification — Go to google.com/android/find or check Settings → Security → Google Play Protect; uncertified devices carry a significantly higher firmware risk
- Avoid sideloading apps — Third-party APK repositories are a confirmed distribution channel for Keenadu payloads
- Monitor unusual data usage — Keenadu operates silently in the background; unexplained spikes in mobile data often signal covert ad interaction or payload retrieval
- Flash certified firmware — If your device manufacturer offers a verified, signed firmware image through an official channel, updating to it is the most effective mitigation
- Disconnect and replace if uncertain — For devices without official firmware support, disconnecting from the internet removes the command-and-control link; replacing the device entirely removes the risk
The Broader Security Lesson
The Keenadu case reinforces a pattern that has repeated across BadBox, Triada, and Vo1d: the supply chain itself is the attack surface. Price-driven purchasing decisions — where a $40 tablet seems like a bargain — frequently transfer hidden costs onto the buyer in the form of stolen credentials, ad fraud revenue, and potential access to your home network.
Kaspersky’s full investigation report, titled “Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets”, provides the most technically detailed account available and is worth reviewing if you manage devices in a business or community environment.