A newly discovered and sophisticated Android malware called Keenadu has been found embedded in firmware from multiple device brands, enabling it to compromise all installed applications and gain unrestricted control over infected devices.

According to a report from cybersecurity company Kaspersky, Keenadu has multiple distribution mechanisms, including compromised firmware images delivered over-the-air (OTA), via other backdoors, embedded in system apps, modified apps from unofficial sources, and even through apps on Google Play.

There are multiple variants of Keenadu, each with its own set of capabilities, the most potent of them being the firmware-based version.

As of February 2026, Kaspersky has confirmed 13,000 infected devices, many located in Russia, Japan, Germany, Brazil, and the Netherlands.

The security researchers compare Keenadu to Triada, another Android malware family they spotted in counterfeit Android devices last year, mostly low-cost phones that go through shady supply chain routes.

In its firmware-integrated variant, Keenadu does not activate if the language or timezone is associated with China, which may represent a potential clue about its origin. The malware also stops if the Google Play Store and Play Services are not found on the device.

Although its operators are currently focused on ad fraud operations, Kaspersky notes that the malware’s capabilities go far beyond, as it is capable of broad-range data theft and risky actions on the compromised device.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.

“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

“As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.

The Keenadu variant embedded in system apps is more limited in functionality. However, its elevated privileges allow it to install any app without alerting the user.

Kaspersky researchers found the malware embedded in a system app for facial recognition, typically used for unlocking the device and various authorization and authentication actions.

The researchers also found the malware on Google Play, in smart home camera apps that had 300,000 downloads, which are no longer available in the official Android store.

When opened, the apps launched invisible web browser tabs within the host app, which navigated to websites in the background. Kaspersky notes that this resembles similar activity to APKs discovered by Dr.Web earlier this year.

According to the researchers, Keenadu is present in the firmware of Android tablets from multiple makers. On one product, the Alldocube iPlay 50 mini Pro (T811M) tablet, the malicious firmware was dated August 18, 2023.

After a customer in March 2024 stated that Alldocube's OTA server had been compromised and a threat actor inserted malware in the firmware, the company acknowledged "a virus attack through OTA software" but did not provide information on the type of threat.

Kaspersky published a detailed technical analysis for the Keenadu backdoor, explaining how the malware compromised the libandroid_runtime.so component, a core library in the Android system, which allows the malware to operate "within the context of every app on the device."

The researchers warn that because the malware is embedded so deeply in the firmware, it is impossible to remove it using standard Android OS tools. They recommend users to find and install a clean firmware version for their device.

An alternative is to install firmware from a reputable third-party, although this comes with the potential risk of bricking the device in case of incompatibility.

One of the safest options is to stop using the device and replace it with a product from trusted vendors and authorized distributors.