Preinstalled malware in brand-new Android devices uncovered

2026-02-18 - 16:13

Keenadu, a malware, has been detected in thousands of brand-new Android devices. This new malware can be preinstalled directly into devices’ firmware, embedded within system apps, or even downloaded from official app stores such as Google Play. Currently, Keenadu is used for ad fraud, with attackers using infected devices as bots to deliver link clicks on ads. But it can also be used for malicious purposes, with some variants even allowing full control of the victim’s device. According to Kaspersky, over 13,000 devices infected with Keenadu have been detected as of February 2026. Some versions can infect every app installed on the device, install any apps from APK files and give them any available permissions. As such, all information on the device, including media, messages, banking credentials, and location, can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode. When integrated into the firmware, the malware behaves differently depending on several factors. It will not activate if the language set on the device is one of the Chinese dialects, and the time is set to one of the Chinese time zones. It will also not launch if the device doesn’t have the Google Play Store and Google Play Services installed. If embedded within the system, the functionality of Keenadu is limited. But it can still install any side apps that the attackers choose without the user knowing. What’s more, Kaspersky discovered Keenadu embedded within a system application responsible for unlocking the device with the user’s face. The attackers could potentially acquire the victim’s face data. In some cases, Keenadu was embedded within the home screen app, which is responsible for the home screen interface. Kaspersky experts also discovered that several apps distributed on Google Play are infected with Keenadu. These are apps for smart home cameras, and they’ve been downloaded over 300,000 times. As of the time of publication, these apps have been removed from Google Play. “Without any actions on the user side, a device can be infected right out of the box. Security solutions can detect this type of malware. Vendors likely didn’t know about the supply chain compromise, as the malware imitates a legitimate system component. It is important to check every stage of the production process to ensure that device firmware is not infected,” stated Dmitry Kalinin, security researcher at Kaspersky. Kaspersky recommends using a reliable security solution to be promptly notified of similar threats on the device. If a system app is infected, Kaspersky recommend that users stop using it and then disable it. If a launcher app is infected, we recommend disabling the default launcher and using third-party launchers. MCB Bank, The Educators, Malmo among 113 sealed in Lahore