Researchers have discovered a new Android backdoor embedded deep inside device firmware that infects tablets before they even reach consumers.

In a report released this week, Russian cybersecurity firm Kaspersky said it uncovered a previously undocumented backdoor dubbed Keenadu. Unlike typical malware that users inadvertently download, Keenadu is built directly into a device’s core software, allowing it to load into every application launched on the tablet.

“Keenadu represents a full-fledged backdoor that allows attackers to gain virtually unrestricted control over the victim’s device,” the researchers said.

Kaspersky reported that over 13,700 users worldwide encountered Keenadu or its modules. The highest number of detections occurred in Russia, Japan, Germany, Brazil and the Netherlands.

The malware was primarily used for advertising fraud. Modules linked to Keenadu were capable of hijacking browser search engines, monitoring the installation of new applications and interacting with advertising components to generate fraudulent revenue. In some cases, users have reported that infected tablets were adding items to marketplace shopping carts without their knowledge.

According to the report, the malware was found integrated into the firmware of tablets from multiple manufacturers, including Chinese device maker Alldocube. The company previously acknowledged malware issues in one of its models, but Kaspersky said subsequent firmware updates for that device — including those released after the public disclosure — remained infected.

The researchers said Keenadu was also found in hardware from other manufacturers, though they did not name them. The company said it had notified the affected vendors.

Researchers believe the malware was inserted into targeted systems during the firmware build stage — likely through a compromised supply chain — meaning devices could have been infected before reaching customers.

“The vendors may have been unaware that their devices were infected prior to reaching the market,” Kaspersky said.

Several variants of the backdoor were identified. The most powerful version was embedded directly into device firmware. Other variants were hidden in applications, including a facial recognition app used for device unlocking, and even in apps distributed through official stores such as Google Play and third-party repositories.

Researchers did not attribute the campaign to a specific threat actor but said the developers demonstrated “a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”

The malware also appeared designed to avoid certain regions. It checks a device’s language settings and time zone and terminates if the interface language is set to a Chinese dialect and the device is located in a Chinese time zone. It also remains inactive on devices that lack Google Play Store or Google Play Services.

The Keenadu operation bears similarities to a 2025 infection involving the Triada backdoor, which embedded itself in the firmware of counterfeit Android devices sold through major online marketplaces, allowing attackers to steal credentials from messaging and social media apps.

Because Keenadu is embedded at the firmware level, it cannot be removed using standard Android security tools, researchers said. They recommend installing a clean firmware version from a trusted source. In some cases, they warn, replacing the device entirely may be the safest option.