A sophisticated piece of malware dubbed Keenadu is being discovered pre-installed on Android devices, giving attackers potentially comprehensive control over the compromised systems. The issue primarily affects budget-friendly models.
Thousands of Android devices are leaving the factory already infected with a deeply embedded Trojan, according to a recent analysis by cybersecurity firm Kaspersky. The malware, named “Keenadu”, is firmly integrated into the device’s firmware – even before the user powers on the device for the first time.
What makes “Keenadu” so dangerous
Security researchers published their detailed analysis on February 17, 2026. The malicious code doesn’t reside in user storage, but instead nests within critical system libraries, specifically manipulating the libandroid_runtime.so file, a central component of Android.
This has serious consequences: the malicious code is automatically loaded every time the device starts. Over 13,000 infected devices have already been identified, including some in Germany. The digital signature of the firmware files suggests the manipulation occurred directly during production or with a supplier. This highlights the growing risk of supply chain attacks in the mobile device ecosystem.
Near-unlimited control for attackers
The technical sophistication is concerning. “Keenadu” injects itself into the “Zygote” process, the parent process for all Android apps. This automatically makes the malware part of every app launched – from a flashlight to a banking application.
This deep integration allows attackers to:
* Intercept SMS messages
* Secretly install additional apps
* Extract sensitive user data
The current campaign primarily targets ad fraud, according to the analysis. However, analysts warn of the potential for misuse for targeted espionage.
Affected devices: The supply chain problem
This represents a classic supply-chain attack. Criminals compromise not the finish device, but a step in the manufacturing or distribution chain. Budget tablets and smartphones are particularly affected.
The report specifically mentions the “iPlay 50 mini Pro” from manufacturer Alldocube. In the budget device sector, many manufacturers rely on cost-effective firmware packages from third-party providers. If one of these providers is compromised, the malicious code ends up on thousands of devices from various brands.
Why traditional solutions fail
The situation is serious for affected users. Because the Trojan is part of the operating system, a factory reset does not facilitate – the malware reinstalls itself with every restart.
Google emphasized that its “Play Protect” protection mechanism can detect known versions of the malware. However, many affected, no-name import devices often lack this official certification or it is faked.
Experts advise affected users to:
* No longer utilize the device for banking or sensitive communication.
* Consider a model from an established manufacturer as the safest solution.
* For tech-savvy users: Manually re-flash a clean, verified firmware.
Anzeige
Wer sein Smartphone vor tief verankerten Firmware‑Angriffen wie „Keenadu“ schützen möchte, findet hilfreiche Praxis-Tipps im kostenlosen E‑Book „Cyber Security Awareness Trends“. Der Leitfaden erklärt aktuelle Bedrohungen, zeigt konkrete Schutzmaßnahmen für Nutzer und Unternehmen und liefert sofort umsetzbare Checklisten, mit denen Sie Risiken reduzieren können. Jetzt kostenloses Cyber-Security-E-Book herunterladen
The Keenadu case demonstrates the ongoing vulnerability of global supply chains – particularly in the market for affordable electronics. The recommendation is clear: opt for established brands and official distribution channels when making a purchase.
@ boerse-global.de
Hol dir den Wissensvorsprung der Profis. Seit 2005 liefert der Börsenbrief trading-notes verlässliche Trading-Empfehlungen – dreimal die Woche, direkt in dein Postfach. 100% kostenlos. 100% Expertenwissen. Trage einfach deine E-Mail Adresse ein und verpasse ab heute keine Top-Chance mehr.
Jetzt anmelden.
