They warn about Keenadu, the ‘malware’ preinstalled on some new Android devices for advertising fraud

Cybersecurity experts have warned about Bring ita new ‘malware’ identified on Android devices, Spain being one of the countries with the highest number of detections, which can come pre-installed directly in the ‘firmware’ of the device, be integrated into system applications or downloaded from official stores such as Google Play.

Malicious actors use this ‘malware’ to carry out advertising fraud, using infected devices as bots that generate ad clicks. However, it can also be used for more harmful purposes, as in some variants it has been identified as allowing full control of the victim’s device.

This has been announced by the cybersecurity company Kaspersky, which, through its mobile security solutions, has detected more than 13,000 infected devices with Keenadu globally, until February 2026.

Specifically, the largest number of affected users was registered in Russia, Japan, Germany, Brazil and the Netherlands. Nevertheless, Spain is also among the ten countries with the highest number of detections of this threat, together with Türkiye, the United Kingdom, France and Italy.

As the experts explained in a statement, like the Triada Trojan, which was detected in 2025 on more than 2,600 counterfeit Android smartphones, this Keenadu malware has been integrated into the ‘filmware’ of certain Android tablet models in “some phase of the supply chain.

This identified variant acts as a acceso ‘backdoor’ for cybercriminals, allowing them to gain unlimited control over the device in question. As a result, Keenadu can infect any application that is installed on the device, as well as install new ‘apps’ from APK files and control the settings to grant them all permissions.

All this means that the Device information may be compromisedincluding multimedia files, messages, banking credentials or location data, as Kaspersky has warned. So much so, that even cybercriminals can monitor the searches that the user enters in the Chrome browser in incognito mode.

Likewise, it must be taken into account that, when the ‘malware’ is integrated into the ‘firmware’ it can behave differently depending on various factors. For example, the company has assured that it will not be activated if the language configured on the device corresponds to Chinese dialects or if the time zone is set to China. It will also not run if the device does not have Google Play Store or Google Play Services installed.

INTEGRATED INTO ‘APPS’ OF THE SYSTEM OR DISTRIBUTED IN OFFICIAL ‘APPS’

However, experts have specified that the threat is also distributed integrating into system applications o downloading from official stores like Google Play.

In the in-app variant of the system, Keenadu is more limited, as cannot infect all applications on the device. However, it does have some elevated privileges, for example it can be used to install other applications without the user knowing.

In one of the cases analyzed, the experts detected Keenadu integrated into an application of the system responsible for the device face unlockwhich could allow cybercriminals to access user biometric data. In other cases, the malware was integrated into the system home screen app.

For its part, for the version distributed through applications in the store oficial Google Play, infected with Keenadu, cybercriminals have targeted smart home camera apps that had been downloaded more than 300,000 times. Although, currently, They have already been removed.

Thus, when users run these applications, cybercriminals can open invisible browser tabs within the application itself, visiting web pages in a hidden way. Some of these applications were Ziicam, Eyeplus-Your home in your eyes or Eoolii.

With all this, the identification of Keenadu highlights how pre-installed ‘malwares’ continue to be a major issue on multiple android devices since, “without the user taking any action” the device can be committed “from the first moment”, as detailed by Kaspersky security researcher, Dmitry Kalinin.

“It is likely that the manufacturers were unaware of the supply chain manipulation that allowed Keenadu to infiltrate the devices, as the malware imitated legitimate system components“, he concluded, while emphasizing that it is “essential to review all phases of the production process to ensure that the firmware is not infected.”

It has also recommended that users use a reliable security solution on mobile devices, check if there are updates available and, after installing them, scan the computer with a security solution to examine the ‘firmware’. In case a system application is infected, it is recommended to stop using it and disable it.