There’s too little a user can do when hit with a complex Android malware that comes preinstalled on their new smartphone or tablet.
Security researchers at Kaspersky have flagged a multifaceted Android malware dubbed Keenadu that can ship preinstalled via device firmware, compromising users before they even complete setup.
“Keenadu serves as a reminder that mobile malware isn’t just a bad app problem anymore, but rather a supply chain and firmware integrity problem,” said Nick Tausek, lead security automation architect at Swimlane. “The most dangerous Keenadu variant is embedded at the firmware level, giving attackers effectively unlimited control and the ability to operate inside the context of every app on the device, which can turn a single compromised tablet or phone into an enterprise-wide data exposure risk.”
The researchers stated that the threat has already affected users across multiple countries, infecting over 13,000 devices as of February, as detected by Kaspersky. “The highest numbers of the attacked users have been observed in Russia, Japan, Germany, Brazil, and the Netherlands, but other countries have been affected as well,” Kaspersky researchers added in a blog post.
Preinstalled malware runs with elevated privileges
Kaspersky reported that Keenadu can arrive on new devices, already embedded in system software, allowing it to run with high privileges from the moment the device is activated. Because the malicious components are present in firmware rather than installed later as apps, affected users may have limited ability to detect or remove them through conventional means.
“Without any actions on the user side, a device can be infected right out of the box,” Kaspersky security researcher Dmitry Kalinin said through a statement in the blog post. “Vendors likely didn’t know about the supply chain compromise that resulted in Keenadu infiltrating devices, as the malware was imitating legitimate system components. It is important to check every stage of the production process to ensure that device firmware is not infected.”
Once active, Keenadu inherits trusted system-level permissions and operates with minimal visibility. The malware activates only under specific conditions, remaining dormant on devices set to Chinese languages or time zones and on those lacking Google Play Store and Google Play Services.
Embedded in core system apps
Keenadu can control legitimate system applications on affected devices. Kaspersky observed it inside critical components such as face unlock applications, raising the possibility that attackers could access biometric data. The malware was also found operating within the home screen app that controls the device’s primary interface.
The researchers warned that the backdoor provides attackers with extensive control over the device. Keenadu can infect other installed apps, install additional software from APK files, and grant those apps any permission available on the system. This enables compromise of sensitive data stored on the device, including media files, messages, banking credentials, and location information.
The malware can also monitor search queries in the Chrome browser, even when users operate in incognito mode.
Other ways of infection
Kaspersky noted that Keenadu’s distribution is not limited to preinstalled system components.
In some cases, the malware has also been observed embedded within applications distributed through Android app stores, where it can be delivered as a seemingly harmless download and activated after installation. Most of these apps are for smart home cameras, and they’ve been downloaded over 300,000 times, the researchers said, adding that all of those were removed as of the time of the disclosure.
Tausek says mitigation has to start earlier than “detect and remove.” “The way forward is to pair hard baselines like OTA governance and EMM policies with AI-driven prevention and containment that spots the behavioral fingerprints of backdoors before they turn into lateral movement,” he said. “AI models can continuously correlate mobile telemetry with identity, endpoint, and network signals to flag high-risk devices in real time and trigger automated guardrails like device isolation or the revocation of sessions and tokens.”
Kaspersky’s recommendations included checking for firmware updates if the device is infected, running a device scan with a “reliable” security solution, and stopping the use of or disabling the application if an infection is suspected.