ACCORDING to Kaspersky, a recently discovered Android backdoor named Keenadu gives its operators full remote control of compromised devices and has been found in the firmware of various Android brands, particularly tablets. The malware has been preinstalled on some devices and has also been delivered through OTA firmware updates, and it can be used for ad fraud, including hijacking browser search engines, monetising new app installs, and clicking on ads.
It has also been distributed via app stores such as Google Play and Xiaomi GetApps, disguising itself as smart camera apps; the fake Google Play entries were downloaded more than 300,000 times before removal. Kaspersky researchers have detected Keenadu infections on roughly 13,000 devices, mainly in Russia, Japan, Germany, Brazil, and the Netherlands.
The researchers note that a copy of the backdoor is loaded into the address space of every app on launch and that in some firmware builds Keenadu was integrated into critical system utilities, including the facial recognition service and the launcher. There are linked relationships with other botnets, including Triada, Vo1d and BadBox, though the team stresses that such connections are not necessarily transitive. The findings were reported on 18 February 2026.