TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources MOBILE SECURITY CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS Supply Chain Attack Embeds Malware in Android Devices Keenadu downloads payloads that hijack browser searches, commit ad fraud, and execute other actions without user knowledge. Jai Vijayan, Contributing Writer February 17, 2026 3 Min Read SOURCE: TOMEQS VIA SHUTTERSTOCK Researchers have spotted new malware embedded in the firmware of Android devices from multiple vendors that injects itself into every app on infected systems, giving attackers virtually unrestricted remote access to them. Kaspersky is tracking the malware as "Keenadu" after coming across it while hunting for Android-firmware level threats like the Triada remote access Trojan (RAT) for stealing data from banking and communication apps. As with Triada, Kaspersky found Keenadu arriving pre-loaded on Android devices from multiple — mostly small — manufacturers, all of which the company has notified of the compromise. A Firmware Level Threat "Keenadu was integrated into Android device firmware as the result of a supply chain attack," the security vendor said. "One stage of the firmware supply chain was compromised, leading to the inclusion of a malicious dependency within the source code." This infected file is used by Android's "Zygote" master process — as was the case with Triada — meaning the malware automatically gets copied into every single application that runs on a compromised device. "The vendors may have been unaware that their devices were infected prior to reaching the market," Kaspersky said. Related:Predator Spyware Sample Indicates 'Vendor-Controlled' C2 According to Kaspersky, as of February, some 13,000 Android devices have been infected with Keenadu. The highest number of affected users are in Russia, followed by Japan, Germany, Brazil, and the Netherlands. In some cases, affected users received devices with the malware already preloaded on them, while in others, users received the compromised software via otherwise normal over-the-air security updates. What makes the malware especially dangerous is the fact that its authors can distribute it not just via weaponized firmware but also hidden in system apps, including facial recognition services and launcher apps and via modified versions of popular applications on official stores like Google Play and Xiaomi GetApps. Keenadu operates as a multistage loader that downloads payloads for hijacking browser searches, committing advertising fraud, adding items to shopping carts and executing other actions without the user's knowledge. Kaspersky found one module targeting major online shopping platforms such as Amazon, Shein, and Temu; another for monitoring every query typed into Google Chrome; and a third capable of intercepting application installations and sending tracking links to advertising platforms taking credit for those installs. The operators of the malware, according to Kaspersky, are currently leveraging it purely for ad fraud by essentially using infected devices to surreptitiously click on advertisements and getting paid for each click. But the attackers can just as easily use the malware to take complete remote control of affected devices, the company warned. Related:FBI Flags Quishing Attacks From North Korean APT Connected to Other Major Android Botnets? Troublingly, Kaspersky's investigation also uncovered connections between Keenadu and three other major Android botnets — BADBOX, Triada, and Vo1d — suggesting at least some level of coordination between arguably the largest mobile malware operations. The security vendor found several instances of BADBOX actively deploying Keenadu payloads on compromised systems as well as evidence connecting Triada to BADBOX through shared infrastructure. "These findings show that several of the largest Android botnets are interacting with one another," Kaspersky said. "Currently, we have confirmed links between Triada, Vo1d, and BADBOX, as well as the connection between Keenadu and BADBOX." Kaspersky has provided indicators of compromise that can help affected users verify if their devices are infected. In instances where a device might have come with Keenadu preloaded at the firmware level, the only remedy is to replace the firmware entirely. Until that happens, users should stop using the infected device, Kaspersky said. On devices where Keenadu might be present in a system app rather than in firmware, users should see if they can find a clean replacement for the app where possible. Otherwise, they should disable the infected app entirely to prevent it from running, Kaspersky said. Users who might have downloaded an infected app from a third-party store can simply uninstall that app to mitigate the threat. Related:'Landfall' Malware Targets Samsung Galaxy Users About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models Healthcare Security: Protecting Patient Data and Clinical Operations Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk More Webinars You May Also Like MOBILE SECURITY Apple Drops Another WebKit Zero-Day Bug by Jai Vijayan, Contributing Writer MAR 12, 2025 MOBILE SECURITY Content Credentials Show Promise, but Ecosystem Still Young by Robert Lemos, Contributing Writer FEB 19, 2025 MOBILE SECURITY 'Landfall' Malware Targets Samsung Galaxy Users by Jai Vijayan, Contributing Writer NOV 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice ENDPOINT SECURITY Ivanti EPMM Zero-Day Bugs Spark Exploit Frenzy — Again byNate Nelson, Contributing Writer FEB 12, 2026 6 MIN READ CYBER RISK Those 'Summarize With AI' Buttons May Be Lying to You byJai Vijayan, Contributing Writer FEB 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Senegalese Data Breaches Expose Lack of Security Maturity byNate Nelson, Contributing Writer FEB 12, 2026 5 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST Healthcare Security: Protecting Patient Data and Clinical Operations THURS, APRIL 9,2026 AT 1PM EST Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST More Webinars White Papers The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use