Millions of Android Devices Compromised by Persistent Keenadu Malware

A sophisticated Android malware known as Keenadu has infected millions of devices, with some reports indicating the reach exceeds 2.3 million units. Discovered by Kaspersky, the multifaceted threat is particularly alarming due to its ability to bypass standard security measures and its presence on brand-recent hardware.

According to security findings, the malware has utilized two primary vectors for distribution. It has been spread through the Google Play Store via disguised applications, and in other instances, it was found preinstalled on budget tablets. The latter method means users are potentially compromised the moment they activate a new device.

The capabilities of Keenadu are extensive. the malware can reportedly hack any application a user launches on the infected device. This level of access allows the software to intercept data and manipulate app functions, posing a severe threat to personal and financial security.

Perhaps the most critical aspect of this threat is its resilience. Security analysts note that the malware is extremely difficult to delete. In many cases, the malware is designed to survive a full factory reset, rendering the most common recovery method ineffective.

The ability of a mobile threat to persist through a system wipe represents a significant escalation in malware sophistication. This discovery underscores the ongoing vulnerability of the Android ecosystem, particularly concerning the security auditing of low-cost hardware and the challenges of policing disguised apps in major marketplaces.

As of April 4, 2026, this development highlights a growing trend of “rootkit-style” persistence in mobile environments, as detailed in broader reports on Android rootkits and cloud security bypasses. Users are encouraged to remain vigilant regarding the source of their hardware and the permissions granted to newly installed applications, as over 2.3 million devices have already been impacted.