A new Android backdoor called Keenadu is shipping pre-installed in the firmware of tablets from multiple manufacturers. It compromises the operating system's core process, infects every app on the device, and cannot be removed without a full firmware reflash. Kaspersky's research also reveals that Keenadu is connected to three of the largest Android botnets ever documented — suggesting an emerging ecosystem of coordinated supply chain threats operating at industrial scale.
On February 18, 2026, Kaspersky published a detailed technical report on a new Android backdoor they named Keenadu. First disclosed by Kaspersky in late December 2025, the full analysis emerged from an investigation that began after Kaspersky's earlier work on the Triada backdoor, which was found pre-installed on counterfeit Android devices in April 2025. While hunting for similar firmware-level threats, researchers found something new — and in many ways, more alarming.
Keenadu is not delivered through a malicious app you download. It is baked into the device before it ever leaves the factory. The malware was introduced during the firmware build phase, meaning devices arrive compromised from day one. Some infected firmware was even distributed through legitimate over-the-air (OTA) updates, signed with valid digital certificates. The vendors themselves likely had no idea their products were shipping with a backdoor.
How Keenadu Gets In
The infection begins at the firmware build stage. Keenadu's authors compromised one stage of the supply chain, inserting a malicious static library that gets linked with libandroid_runtime.so — a core shared library in the Android operating system that loads during every device boot. Because this library is fundamental to how Android runs, the backdoor automatically executes whenever the device starts.
Once active, Keenadu injects itself into Zygote, the parent process for every Android application. Zygote is the first process that starts when Android boots, and every app on the device is forked from it. By compromising Zygote, Keenadu ensures that a copy of the backdoor is loaded into the address space of every app on the device — from the Chrome browser to banking apps to the camera.
Keenadu is embedded on Android's read-only system partition. It cannot be removed using standard Android tools, factory resets, or antivirus apps. The only remediation is a full firmware reflash with a clean image — if one exists.
Kaspersky confirmed that all analyzed firmware files carried valid digital signatures. The attackers did not tamper with updates after distribution. The Trojan was integrated during the build phase itself, which means the compromise occurred upstream — within the development toolchain, a shared library, or a third-party component supplier. Kaspersky's Dmitry Kalinin stated that vendors were likely unaware of the compromise because the malware was imitating legitimate system components.
Keenadu also includes several self-protection mechanisms. The malware checks whether it is running within system apps belonging to Google services or to cellular carriers like Sprint or T-Mobile, and aborts execution if so — likely to avoid triggering detection in well-monitored environments. It also has a kill switch that terminates itself if it finds files with certain names in system directories. In its firmware-integrated variant, Keenadu will not activate if the device's language is set to a Chinese dialect and the timezone is set to a Chinese timezone, or if Google Play Store and Play Services are not found on the device.
Keenadu was first disclosed by Kaspersky in late December 2025, with the full technical report following on February 18, 2026. The discovery emerged from a broader firmware threat-hunting effort that began after Kaspersky's April 2025 Triada research. Kaspersky also noted that the system-app embedding technique mirrors behavior observed in another Android malware called Dwphon, which was integrated into system apps responsible for OTA updates — reinforcing a pattern of supply chain compromise across multiple malware families.
What It Does Once Active
Keenadu is a multi-stage loader. It does not immediately reveal its full capabilities. After initial activation, the backdoor enforces a dormancy period of approximately two and a half months before contacting its command-and-control (C2) infrastructure. This delay is a deliberate anti-analysis measure — by the time the malware activates, the device is long past any point-of-sale inspection or initial security review.
When the dormancy period expires, Keenadu reaches out to its C2 servers, which return an encrypted JSON object containing payload details. The payloads are hosted on cloud infrastructure and verified with MD5 and DSA signatures before being decrypted and executed. Kaspersky identified Amazon AWS as the CDN provider in their Securelist report, though at least one secondary outlet initially attributed it to Alibaba Cloud. The modular architecture means the operators can deploy new capabilities at any time without modifying the base implant.
Kaspersky intercepted and analyzed several payload modules:
- Ad clicker modules injected into apps like YouTube, Facebook, and system components to generate fraudulent ad clicks inside hidden containers. One module, internally named "Nova," uses machine learning and WebRTC to interact with ad elements while remaining invisible to the user.
- A Chrome hijacker that intercepts and steals search queries — including those entered in incognito mode — and redirects search results through attacker-controlled infrastructure.
- A loader targeting shopping apps including Amazon, SHEIN, and Temu. This module can install hidden APKs and, according to user reports, has been adding items to shopping carts without the victim's knowledge.
- Pay-per-install modules that silently deploy unwanted applications to monetize each installation.
- Device fingerprinting modules that collect hardware identifiers, advertising IDs, and other device data.
The current payload mix is focused on ad fraud and monetization. But Kaspersky was explicit in their warning: the firmware-level variant of Keenadu is a fully functional backdoor that provides attackers with unrestricted control over the device. It can infect every installed app, silently install APKs with any permissions, and compromise all data on the device — media, messages, banking credentials, and location data. The infrastructure for credential theft and espionage is already in place. Only the payloads would need to change.
Multiple Distribution Vectors
While the firmware-level compromise is the primary and most dangerous variant, Kaspersky identified several additional distribution mechanisms that expand Keenadu's reach.
In some devices, the Keenadu loader was embedded within system apps rather than the core library. Researchers found it inside the facial recognition service used for device unlock and authentication — meaning the attackers could potentially acquire biometric face data. It was also found in the home screen launcher app. These system-app variants have more limited capabilities than the firmware version, but their elevated privileges still allow them to install arbitrary apps without user awareness.
Keenadu also made it onto Google Play. Kaspersky discovered trojanized smart home camera apps published by a developer named Hangzhou Denghong Technology Co., Ltd. that had accumulated over 300,000 downloads. These apps launched invisible browser tabs in the background to conduct click fraud. Google confirmed the apps have been removed, but the same developer had published identical apps to the Apple App Store. Kaspersky told The Hacker News that the iOS versions do not include the malicious Keenadu functionality, but the developer's cross-platform presence is worth monitoring.
Additional distribution came through modified apps on unofficial Android stores, through Xiaomi's GetApps marketplace, and through a particularly concerning channel: deployment by the BADBOX botnet itself, which was observed downloading Keenadu modules onto devices it had already compromised through its own supply chain infection.
The Botnet Web: BADBOX, Triada, and Vo1d
The most significant finding in Kaspersky's report is not Keenadu itself — it is what Keenadu reveals about the relationships between major Android botnets.
Kaspersky found that BADBOX actively deploys Keenadu payloads on compromised devices. They also identified code similarities between Keenadu's loader and BADBOX's BB2DOOR module, as well as shared patterns in the payload code decrypted by the malicious libandroid_runtime.so. Researchers believe the Keenadu developers drew inspiration from BADBOX's source code, though the two are assessed to be separate botnets.
The connections extend further. In Kaspersky's earlier Triada research, they found that a C2 server for one of Triada's downloaded modules was hosted on the same domain as a Vo1d botnet server. HUMAN Security's Satori team had previously documented connections between BADBOX and Vo1d through shared infrastructure. And according to HUMAN and Trend Micro's earlier research, the original BADBOX operation was built on Triada-derived malware, with a China-based threat group called "Lemon Group" linked to both Triada-inspired code and BADBOX's residential proxy services.
When you map these connections, four of the largest Android botnets in history — Triada (active since 2016, with over 4,500 confirmed infections detected by Kaspersky during the most recent counterfeit device campaign alone), Vo1d (over 1 million infected devices), BADBOX (over 1 million devices across two iterations), and now Keenadu (13,700+ confirmed, likely an order of magnitude higher) — share infrastructure, code, and operational relationships.
"These findings show that several of the largest Android botnets are interacting with one another. Currently, we have confirmed links between Triada, Vo1d, and BADBOX, as well as the connection between Keenadu and BADBOX." — Kaspersky, Securelist
Kaspersky was careful to note that the connections are not necessarily transitive. A link between Keenadu and BADBOX, and a separate link between BADBOX and Triada, does not automatically prove a direct connection between Keenadu and Triada. But they added a telling caveat: they would not be surprised if future reports provide exactly that evidence. The picture forming is one of an interconnected ecosystem of threat actors — likely China-based, given the language and timezone deactivation behavior noted earlier — who specialize in compromising the Android hardware supply chain at scale.
Who Is Affected
Kaspersky's telemetry detected Keenadu on 13,715 devices as of February 2026. The highest infection rates were in Russia, Japan, Germany, Brazil, and the Netherlands, with additional infections across Turkey and other countries. However, the confirmed detection count almost certainly understates the true scope. Both Vo1d and BADBOX were known to infect over a million devices each, and Keenadu shares their distribution model.
The only manufacturer Kaspersky named publicly is Alldocube. The compromised firmware was detected on the Alldocube iPlay 50 mini Pro (T811M), with the earliest infected firmware build dating to August 18, 2023. Critically, every firmware version Kaspersky analyzed — including releases issued after the vendor acknowledged malware reports from users — still contained the backdoor. Multiple other tablet manufacturers were affected but not named.
The devices in question are primarily budget Android tablets that pass through complex, multi-party supply chains before reaching consumers. They are sold through mainstream online retailers and are not Google Play Protect certified — meaning they run Android Open Source Project (AOSP) builds that do not undergo Google's security and compatibility testing. Notably, however, the firmware variant of Keenadu requires the presence of Google Play Store and Play Services to activate. This means the affected devices are AOSP-based but have Google services sideloaded — a common configuration for budget tablets that lack official certification but still ship with Google apps. A Google spokesperson told BleepingComputer that Play Protect can warn users and disable apps exhibiting Keenadu-associated behavior, even when those apps come from sources outside of Play, and recommended that users ensure their device is Play Protect certified.
Key Takeaways and Defense
- Supply chain compromise is the infection vector. Keenadu is not something you install. It arrives on the device. The compromise occurs during the firmware build process, before the product is packaged and shipped. Standard user behavior — avoiding suspicious apps, not sideloading — provides zero protection against this threat.
- Factory resets do not help. Because the malware lives on the read-only system partition, wiping user data does nothing. The only effective remediation is flashing clean firmware from a trusted source, if one exists for the affected device model. In many cases, the safest course of action is to stop using the device entirely.
- Budget devices carry disproportionate risk. The devices affected by Keenadu, BADBOX, Triada, and Vo1d share a common profile: inexpensive, off-brand, AOSP-based Android devices with complex supply chains that pass through many hands. Purchasing devices from established manufacturers with Google Play Protect certification significantly reduces — though does not eliminate — exposure to firmware-level threats.
- The botnet ecosystem is converging. Kaspersky's research shows that major Android botnets are not isolated operations. They share infrastructure, code, and distribution channels. This convergence means a single supply chain compromise can feed multiple threat actors simultaneously, and that disrupting one botnet (as Germany's BSI did with BADBOX in late 2024) may have limited impact on the broader ecosystem.
- Organizations should audit mobile device inventories. Any enterprise or institution issuing or permitting Android tablets — particularly for education, point-of-sale, or field operations — should verify that devices are Play Protect certified and sourced through authorized distributors. Uncertified devices should be treated as untrusted endpoints.
Kaspersky Securelist — Keenadu the tablet conqueror
BleepingComputer — New Keenadu backdoor found in Android firmware
The Hacker News — Keenadu Firmware Backdoor Infects Android Tablets
SecurityWeek — New Keenadu Android Malware Found on Thousands of Devices
Help Net Security — Firmware-level Android backdoor found on tablets
HUMAN Security — BADBOX 2.0 Disruption
Keenadu is not a novel technique. Firmware-level Android compromise has been documented for years through Triada, BADBOX, and Vo1d. What makes this disclosure significant is the evidence that these operations are not isolated. They are forming a supply chain attack ecosystem — one that can plant persistent backdoors in consumer devices at the point of manufacture, distribute payloads through legitimate update channels, and pivot from ad fraud to full device control whenever the operators decide the economics justify it. The next device you unbox might already be working for someone else.