Newly discovered Android malware has been found preinstalled on several Android tablet models, allowing it to tamper with any mobile app launched on the device.
Antivirus provider Kaspersky discovered the malware, dubbed “Keenadu,” which the company has detected on over 13,000 devices in Europe, Japan, Brazil, and elsewhere.
In some cases, the malware has been found in the tablets’ firmware, indicating that someone in the supply chain secretly loaded the malicious code. “In this variant, Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky warns.
The affected tablets were traced to a little-known Chinese brand called Alldocube, which previously sold products on Amazon and is currently on AliExpress. Kaspersky first examined firmware from 2023 on the Alldocube iPlay 50 mini Pro tablet, and found it contained the Keenadu backdoor.
“Notably, all subsequent firmware versions for this model also proved to be infected.” This included firmware versions after Alldocube disclosed in 2024 that the tablet model had encountered a “virus attack” that could trigger it to display random Google ads.
The Keenadu backdoor is particularly dangerous because it “can infect every app installed on the device, install any apps from APK (Android Package Kit) files and give them any available permissions,” Kaspersky says. “As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode.”
It also looks like the malware can be hard to remove, since it loads from the device’s firmware, which stores the configuration settings needed to boot the hardware. Despite the capabilities, Kaspersky has only observed the malware engaging in various forms of ad fraud, “with attackers using infected devices as bots to deliver link clicks on ads.”
The antivirus provider also uncovered evidence that the malware has been preinstalled on devices from other manufacturers. The company didn’t name the brands, but said “in all instances, the backdoor is embedded within tablet firmware. We have notified these vendors about the compromise.”
In addition, Keenadu has been circulating through preinstalled “system” apps, including one “responsible for unlocking the device with the user’s face,” Kaspersky says. The malware has also appeared on the Google Play Store through third-party mobile apps for smart home cameras.
These apps received over 300,000 downloads but had far fewer capabilities and focused on launching an “invisible web browser” to secretly look up websites, likely for ad fraud. Google has since removed them from its app store after Kaspersky flagged the threat.
Interestingly, Kaspersky’s investigation found the malware won’t activate if “the language set on the device is one of Chinese dialects, and the time is set to one of Chinese time zones.” The malware also won’t launch if the Google Play Store hasn’t been installed.
The research underscores the potential danger of buying cheap Android devices from unknown brands. A year ago, Kaspersky found another malware strain preinstalled on counterfeit Android phones. Alldocube didn’t immediately respond to a request for comment.
About Our Expert
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
-
Amazon Leo Hints It’ll Open Satellite Internet Tech to Third-Party Antennas
-
This Discord Alternative Reports Sign-Up Surge Amid Age-Verification Backlash
-
Researcher Lands $6,000 Bug Bounty for Finding Starlink Data Leak
-
SpaceX’s Plan for 1 Million Satellites Faces Light Pollution Backlash
-
OpenAI Kills GPT-4o, the Model That Praised Everyone to a Fault
-
More from Michael Kan
