"Keenadu" Backdoor Found Pre-Installed on Budget Android Tablets

“Keenadu” Backdoor Found Pre-Installed on Budget Android Tablets

“Keenadu” Backdoor Found Pre-Installed on Budget Android Tablets — What You Need to Know

Date: March 1, 2026 | Cybersecurity

A dangerous firmware-level backdoor has been discovered lurking inside budget Android tablets — and in many cases, it was there before buyers even opened the box.

Kaspersky, the Russian cybersecurity firm, published a detailed technical report on February 16, 2026 disclosing the malware, which it named Keenadu.

The discovery has since prompted multiple Chinese tablet manufacturers to issue public statements and promise emergency firmware patches.

What Is Keenadu?

Keenadu is a sophisticated Android backdoor that embeds itself into libandroid_runtime.so — a core shared library that every app on an Android device loads at startup. Because it operates at this fundamental level, the malware is injected into virtually every application running on the infected device, effectively bypassing Android’s app sandboxing protections entirely.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer. “It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

This means all data on a compromised device — personal files, messages, banking credentials, location history — is potentially exposed. Kaspersky researchers noted the malware can even monitor search queries entered into Chrome’s incognito mode.

A Supply Chain Compromise

What makes Keenadu especially alarming is when it gets installed. Kaspersky determined that the infection occurs during the firmware build phase, not after a device reaches the consumer. In effect, infected tablets leave the factory with the backdoor already in place.

Evidence for this is strong: Kaspersky traced compromised Alldocube firmware back to August 18, 2023, and found that all subsequent firmware versions for that model — including those released after the company publicly acknowledged a “virus attack” in March 2024 — remained infected. Crucially, the malicious firmware files all carried valid digital signatures, indicating that attackers had access to the manufacturer’s private signing keys, or that the compromise occurred upstream in the supply chain.

In some cases, Keenadu was also delivered to already-sold devices via over-the-air (OTA) firmware updates, extending its reach beyond factory-infected units.

How Many Devices Are Affected?

As of February 2026, Kaspersky’s telemetry detected 13,715 users worldwide who encountered Keenadu or its modules. The highest concentrations of infections were found in Russia, Japan, Germany, Brazil, and the Netherlands, though cases have been reported globally.

Kaspersky publicly identified Alldocube as one of the affected brands. Other manufacturers were notified but not named in the report. However, users have independently reported infections on devices from brands including DOOGEE and Headwolf, and both have since released official statements.

What Is the Malware Actually Doing?

While Keenadu is technically capable of full device takeover, Kaspersky found it has primarily been used for advertising fraud. Infected devices silently:

Hijack browser search engines to redirect queries
Monitor the installation of new apps and interact with advertising components to generate fake revenue
Open invisible browser tabs in the background to visit websites and click on ads
Add items to e-commerce shopping carts without user knowledge (reported by multiple Alldocube tablet users)

In firmware versions that embed Keenadu into the facial recognition system app, the malware could also potentially harvest users’ biometric face data.

A Dangerous Kill Switch — and a Geographic Exception

One telling characteristic of Keenadu: the malware is programmed to terminate itself if the infected device’s language is set to a Chinese dialect and the device is located in a Chinese time zone. This geographic exclusion is a pattern also seen in other Chinese-origin malware families, and it may have helped the backdoor evade detection for years.

Links to Larger Botnets

Kaspersky’s investigation also revealed that Keenadu is not operating in isolation. Researchers identified confirmed infrastructure links between Keenadu and BADBOX, another well-documented Android malware platform, with BADBOX actively deploying Keenadu loaders onto compromised devices.

Additionally, connections were found between these threats and Triada and Vo1d, two other major Android botnets primarily powered by low-cost Android devices. The scale of this interconnected threat ecosystem is described by Kaspersky as unprecedented in the Android threat landscape.

How Keenadu Spread Beyond Firmware

The backdoor was not limited to factory-infected tablets. Kaspersky also found Keenadu embedded in:

System apps within device firmware (including facial recognition and home launcher apps)
Trojanized apps distributed via unofficial third-party sources
Apps in Xiaomi’s GetApps store
Google Play Store — smart camera apps published by “Hangzhou Denghong Technology Co., Ltd.” were collectively downloaded over 300,000 times before Google removed them following Kaspersky’s disclosure

Google confirmed to researchers that Android users are protected from known Keenadu variants by Google Play Protect, which is enabled by default on devices with Google Play Services.

Manufacturer Responses

Alldocube (Shenzhen, China) was the first manufacturer to respond publicly. On February 25, the company confirmed malware was present in certain tablets and launched an investigation. On February 27, it released a list of confirmed affected models:

iPlay 50 mini Pro (8+256GB / 8+128GB, Android 13)
iPlay 60 mini Pro (8+128GB, Android 14)
iPlay 60 Pro (8+128GB, Android 14)
iPlay 70 Pro (6+256GB, Android 14)

The company attributed the issue to “a firmware security vulnerability risk in certain components in the supply chain.” Alldocube pledged to release clean OTA firmware updates for all affected models by March 5, 2026, and announced plans for third-party security audits and internal process reviews.

The company noted that certain variants of the same models — such as those running Android 15 — were found to be unaffected.

Headwolf and Alphawolf also released statements on February 27, confirming similar issues and promising patches via OTA update in early March 2026.

What Should You Do?

If you own a budget Android tablet — particularly from brands like Alldocube, Headwolf, DOOGEE, or other lesser-known Chinese manufacturers — take the following steps:

Check your manufacturer’s website or support page for any official statement or firmware update related to Keenadu.
Apply any available clean firmware update immediately. Alldocube has committed to updates by March 5.
Run a reputable mobile security scanner (such as Kaspersky Mobile Security or similar) to check for infections.
Do not use the device for sensitive tasks — banking, shopping, or accessing private accounts — until it has been confirmed clean.
If no clean firmware is available, Kaspersky warns that the only reliable fix may be manually reflashing the device from a trusted source. In some cases, they recommend replacing the device entirely.

Because Keenadu embeds itself in a core system library, it cannot be removed using standard Android security tools without potentially bricking the device.

The Bigger Picture

The discovery of Keenadu highlights a growing and deeply troubling pattern: malware being inserted into consumer electronics during the manufacturing or distribution process, long before devices reach end users. This “supply chain compromise” model makes detection extremely difficult, as products appear legitimate and arrive in official packaging.

As Kaspersky researcher Dmitry Kalinin noted: “Vendors likely didn’t know about the supply chain compromise that resulted in Keenadu infiltrating devices, as the malware was imitating legitimate system components. It is important to check every stage of the production process to ensure that device firmware is not infected.”

For consumers, the lesson is an uncomfortable one: even a brand-new, sealed device may not be trustworthy — especially at the budget end of the market.

Sources: Kaspersky Securelist, BleepingComputer, The Hacker News, The Record, Help Net Security, NotebookCheck, SecurityWeek

"Keenadu" Backdoor Found Pre-Installed on Budget Android Tablets. Keenadu is a sophisticated Android backdoor that embeds itself into libandroid_runtime.so — a core shared library that every app on an Android device loads at startup.