Security researchers have identified a persistent unauthorized code component, designated as "Keenadu," embedded within the firmware of Android devices across multiple vendors. This component integrates into the operating system’s core processes, granting it the ability to interact with applications running on the device and facilitating remote access for its operators.
Kaspersky, the security firm tracking this activity, identified Keenadu while analyzing Android firmware-level threats similar to the Triada remote access tool. Like Triada, Keenadu appears to be pre-loaded on devices from various smaller manufacturers. Kaspersky has notified the affected vendors regarding the compromise.
Firmware-Level Integration
The presence of Keenadu in Android device firmware is the result of a supply chain compromise. Evidence suggests that a specific stage of the firmware supply chain was modified, introducing a malicious dependency into the source code before the devices reached the market.
This compromised file interacts with the Android "Zygote" master process. Because Zygote is responsible for forking every new application process, the unauthorized code is automatically replicated into the memory space of every application launched on the device. This mechanism ensures persistence and broad access permissions without requiring individual app vulnerabilities.
Current telemetry from February 2026 indicates that approximately 13,000 devices are affected by this configuration. The geographic distribution of affected units is concentrated in Russia, followed by Japan, Germany, Brazil, and the Netherlands.
While some users received devices with the compromised firmware pre-installed, others acquired the unauthorized code through standard over-the-air (OTA) security updates.
Distribution Vectors and Capabilities
Beyond firmware integration, the operators distribute this component through system applications—such as facial recognition services and launcher apps—and modified versions of popular applications hosted on official platforms like Google Play and Xiaomi GetApps.
Technically, Keenadu functions as a multistage loader. It is capable of retrieving and executing additional modules without user interaction. Observed behaviors include:
Search Hijacking: Monitoring and redirecting queries in Google Chrome.
Advertising Fraud: Generating unauthorized interactions with advertisements to claim revenue. One identified module specifically targets major e-commerce platforms such as Amazon, Shein, and Temu.
Installation Tracking: Intercepting legitimate application installations to attribute them to advertising networks controlled by the operators.
While current observations suggest the operators are prioritizing ad fraud, the level of system access achieved by the malware allows for complete remote device administration.
Infrastructure Correlation
Technical analysis has established connections between Keenadu and three other significant Android botnet operations: BADBOX, Triada, and Vo1d.
Researchers observed BADBOX infrastructure actively deploying Keenadu modules to compromised systems. Furthermore, shared infrastructure points connect Triada to BADBOX operations. These correlations indicate a high degree of interoperability and resource sharing between these large-scale mobile malware networks.
Mitigation and Remediation
For security teams and users managing affected devices, remediation depends on the specific vector of compromise. Kaspersky has released indicators of compromise (IOCs) to assist in identification.
Firmware Compromise: If the unauthorized code is present in the device firmware, standard factory resets are insufficient. The firmware must be replaced entirely by flashing a verified clean image. Until this is performed, the device should be considered untrusted.
System Application Compromise: If the code resides within a specific system app rather than the core firmware, users should disable the affected application. If a clean version is available from a trusted source, it may be installed as a replacement.
Third-Party Application Compromise: For devices where the threat was introduced via a downloaded application (from a third-party store or official marketplace), uninstalling the specific application removes the immediate threat.