This malware had been pre-installed on thousands of Android tablets; Europe was also affected

In popular imagination, mobile device cybersecurity largely depends on the user’s prudence: avoiding reckless clicks, not downloading suspicious attachments, and avoiding unofficial stores.

However, a recent investigation conducted by researchers at Kaspersky has revealed a far more insidious scenario, in which the threat does not come from the outside but is already resident in the device at the time of purchase.

An actual backdoor, named Keenadu, inserted directly in the firmware of thousands of Android tablets before they even reached store shelves or consumers’ hands.

Keenadu is a preinstalled backdoor in thousands of Android tablets

According to security experts, the malware does not infect the device at a later time, but is embedded within the system software during the compilation process.

Once the tablet is activated, the backdoor injects its malicious code into Android’s Zygote process. As the primary process responsible for launching every other application on the device, this position guarantees attackers almost total visibility and control over the operating system.

Keenadu is able to operate quietly to download additional modules, redirect browser searches, monitor app installations to generate illicit profits, and forcibly interact with advertising elements, acting with privileges that a normal infected application could never obtain.

The Alldocube case and its spread in Europe

The analyses identified a concrete example of this compromise in the tablet Alldocube iPlay 50 mini Pro. Researchers found the backdoor present in all firmware versions examined, including those released by the manufacturer after the first reports of the problem.

A technically relevant detail is that the infected files had valid digital signatures; this suggests that it was not external post-production tampering, but a compromise upstream, directly in the software supply chain.

The spread of Keenadu is not an isolated phenomenon. Kaspersky has detected over 13,000 affected users globally. Although the highest numbers were recorded in Russia, Japan and Brazil, the threat has also significantly touched European soil, with numerous infections detected in Germany and the Netherlands.

Analysts have also linked this threat to other well-known Android botnet families, such as Triada, BadBox and Vo1d, outlining an interconnected and persistent criminal ecosystem.

Countermeasures and Google’s response

Fortunately, the issue appears limited to budget manufacturers and lesser-known brands, currently sparing the sector’s leading brands. However, for those owning low-cost devices from little-known brands, the risk remains tangible.

Google has intervened on the issue, reassuring users through a spokesperson, who confirmed that Google Play Protect is able to recognize and neutralize the known variants of this malware.

The protection system, active by default on certified devices, can alert users and disable applications that exhibit behaviors associated with Keenadu, even if they come from sources outside the Play Store.

Moreover, the malicious apps identified in the report on the official store have been promptly removed. The recommendation for users remains to verify the device’s Play Protect certification and promptly install any cleaned firmware updates released by the manufacturers.