Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 18, 2026 · 5 min read

This Malware Was Baked Into Your Android Tablet Before You Even Opened the Box

Kaspersky researchers discovered a firmware level backdoor called Keenadu pre installed on Android tablets. It hijacks every app on the device and cannot be removed with standard tools.

A brand new Android tablet being unboxed from packaging on a clean desk with subtle red warning indicators on the screen

What Happened

Kaspersky researchers have uncovered a backdoor called Keenadu embedded in the firmware of Android tablets from multiple manufacturers, including Alldocube. The malware was not installed after purchase. It was baked into the system library during the firmware build process, meaning devices were compromised before they ever left the factory.

As of February 2026, Kaspersky has identified 13,715 affected users across Russia, Japan, Germany, Brazil, the Netherlands, and other countries. The infection dates back to at least August 2023, meaning some devices have been silently compromised for over two years.

The most alarming detail: the compromised firmware files carry valid digital signatures. The devices pass standard integrity checks. There is no visible indication that anything is wrong.

How It Works

Keenadu embeds itself in libandroid_runtime.so, a core Android system library that loads into every app process on the device. Because this library is fundamental to how Android runs applications, the malware effectively operates inside every app you use.

The technical execution is sophisticated:

  • The malware hooks the println_native function that apps use for system logging. Every time an app writes a log entry, the hook triggers
  • It decrypts an RC4 encrypted payload and loads it using Android's DexClassLoader, a mechanism normally used for legitimate dynamic code loading
  • The payload creates a client server architecture: an "AKServer" running with maximum system privileges, and an "AKClient" injected into every app that communicates back to the server
  • The command and control server does not activate payloads immediately. It waits 2.5 months after initial device activation before deploying malicious modules, making detection during return windows nearly impossible

As the researchers put it: "the malware is embedded in libandroid_runtime.so, it operates within the context of every app on the device, thereby gaining access to all their data."

What It Steals

Once active, Keenadu deploys multiple specialized modules:

  • Chrome module: Monitors your search bar in real time, exfiltrating every search query to attacker servers. It hijacks search results and redirects to attacker controlled search engines
  • App installer: Targets Amazon, SHEIN, and Temu apps, silently installing additional APKs through Android's installation sessions
  • Ad fraud clicker: Uses machine learning based interaction to simulate human ad clicks via WebRTC, generating revenue for the attackers while draining your battery and data
  • Google Play module: Extracts your Google Advertising ID for tracking and victim profiling
  • Permission bypass: Can grant or revoke any app permission, access your location, and exfiltrate device information, all without triggering Android's permission dialogs

Connected to a Larger Botnet Network

Kaspersky's investigation revealed that Keenadu is not operating in isolation. It is connected to several of the largest known Android botnets:

  • BADBOX: Downloads Keenadu modules and shares the same internal communication interfaces
  • Triada: A well known Android trojan linked through shared command and control infrastructure and code overlap dating back to 2022
  • Vo1d: Connected through shared C2 domain infrastructure

The researchers noted that "several of the largest Android botnets are interacting with one another." This suggests a coordinated ecosystem of firmware level threats, not isolated incidents.

Why You Cannot Just Uninstall It

Because Keenadu lives in the firmware itself, modern Android's read only system partition means "it is impossible to eliminate the threat using standard Android OS tools." You cannot uninstall it. You cannot factory reset it away. The malware is part of the operating system.

Your options are limited:

  • Wait for a manufacturer firmware update (which may never come for budget tablets)
  • Manually flash clean firmware (which risks bricking the device and requires technical expertise)
  • Stop using the device entirely

How to Protect Yourself

Google stated that "Android users are automatically protected from known versions of this malware by Google Play Protect." But Play Protect cannot clean firmware level infections. It can only block the secondary payloads.

To reduce your risk:

  • Buy devices from established manufacturers. Budget tablets from unknown brands are the primary targets for firmware supply chain attacks
  • Check that your device is Google Play Protect certified at android.com/certified
  • Keep your device updated. Install firmware and security patches as soon as they are available
  • Monitor your device for unusual behavior: unexpected battery drain, unexplained data usage, or apps appearing that you did not install
  • Avoid entering sensitive credentials on budget devices from unknown manufacturers. Use your primary phone for banking, email, and authentication

The Keenadu discovery is a reminder that the cheapest device often costs more than you think. When a tablet sells for far below its manufacturing cost, someone is making up the difference, and it might be by selling access to your data.