Keenadu has become one of the most unsettling threats For Android users, it's not just what it does, but how it reaches devices: in many cases it comes pre-installed, as in other cases of pre-installed malware on Android, on the phone or tablet itself, even before the buyer turns on the device for the first time.
Cybersecurity experts have warned that Spain is among the countries with the highest number of detections of this malicious software, within a global scenario where also Several European states stand out.The problem is not limited to mobile phones of dubious origin: some infections have been detected in new devices distributed through seemingly legitimate channels.
MADRID, Feb. 17 (Portaltic/EP) – Laboratories from various specialized firms have analyzed in detail This new malware family, named Keenaduwhich targets Android phones and tablets. The threat may be embedded in the device firmware, camouflage itself in system applications or sneak in through apps published in official stores like Google Play.
Cybercriminals primarily use Keenadu to advertising fraudtransforming devices into bots that automatically click on ads, generating an illegitimate revenue stream. However, several analyses have shown that some variants are much more aggressive and can provide a near-absolute control of the compromised terminalThis increases the risks to privacy and security.
The security company Kaspersky, which was one of the first to document this case, points out that It has already identified more than 13.000 infected devices worldwide through its mobile solutions. This figure corresponds to cumulative detections up to February 2026 and focuses exclusively on new mobile phones and tablets, reflecting the severity of the problem in the supply chain.
Among the countries with the highest number of affected users are Russia, Japan, Germany, Brazil and the Netherlands. However, Spain also appears among the ten territories with the most detectionsalong with TĂĽrkiye, the United Kingdom, France and Italy, which puts Europe in a particularly delicate position in the face of this type of attack.
Malware that infiltrates the supply chain
The researchers point out that Keenadu follows a similar strategy to that of Triad Trojanwhich became known after appearing on thousands of counterfeit Android smartphones. In this new case, the malicious code was detected embedded in the firmware of certain Android tablet models during some phase of the production or distribution chainbefore reaching the market.
This mode makes Keenadu a permanent backdoorwhich gives attackers unlimited access to the device. Once inside, the malware is able to infect any app that is installed, add new applications from APK files, and modify system settings to grant all necessary permissions without user intervention.
Due, The information stored on the device is seriously exposedFrom photos and videos to private messages, recorded locations, and bank credentialsAnalysts have even verified that Keenadu can Monitor searches performed in Chrome in incognito mode, completely undermining the feeling of private browsing.
One striking feature of this malware is that It doesn't behave the same on all devicesIts activation depends on parameters such as configured language or time zoneand it has been observed that It will not run if the system is set to Chinese dialects or if the time corresponds to Chinese territory. It also does not activate on devices that lack the Google Play Store or Google Play services.
Experts suspect that this internal logic responds to an attempt by the creators to avoid detection or legal problems in certain jurisdictions, while focusing their efforts on other markets where the chances of economic benefit or impunity are higher, including several European countries.
Integrated into system apps with elevated privileges
Beyond the firmware, research has revealed that Keenadu also hides in pre-installed system applicationsIn this variant, the malicious code cannot always infect all the apps on the device, but it does have the ability to do so. advanced permissions that allow you to install additional software or modify components without the mobile phone owner noticing.
In one of the cases analyzed, the specialists found the malware embedded in the application responsible for facial unlockingThis fact is especially worrying, as it opens the door to a possible illicit access to biometric data such as facial patterns, an extremely sensitive type of information that is also not as easy to change as a password.
On other devices, Keenadu appeared embedded in the system home screen applicationBy being present in such a central component of the Android experience, malware can remain persistently active and take advantage of every device startup to execute its tasks, from communicating with remote servers to downloading new malicious modules.
The camouflage technique used is based on the fact that Keenadu mimics legitimate components of the systemusing names and structures that resemble those of common Android processes. This strategy makes it difficult to detect during manufacturing and also by advanced users who manually review installed apps.
According to Dmitry Kalinin, a security researcher at Kaspersky, It is likely that many manufacturers were unaware of the manipulation suffered in the supply chain. Hence the company's insistence that it is essential review in detail all phases of the production process and establish additional controls to ensure that the firmware reaching consumers is not compromised.
Keenadu has also been distributed through Google Play
The analyses are not limited to factory facilities. Several reports indicate that Malware has also reached users through the official Google Play storeIn this scenario, Keenadu hides within seemingly legitimate applications, which pass initial checks and are offered to the public without raising suspicion.
In one of the sample sets studied, cybercriminals opted for smart home camera appsAmong those affected were apps like Ziicam, Eyeplus-Your home in your eyes, and Eoolii, which together accumulated more than 300.000 downloads before being removed from the platform; it is about malicious apps who took advantage of the user's trust.
When the user ran these tools, The malware opened invisible browser tabs within the app itself.by secretly visiting websites. This mechanism allowed for inflated statistics of visits and clicks on ads without the phone owner ever seeing anything on the screen, which fits with Keenadu's main objective: massive advertising fraud.
Although Google has already removed these apps from its store, The case once again raises the issue of the limitations of automated review systems.It also raises the need for users to pay closer attention to the permissions requested by each application and the subsequent behavior of the device, even when downloads come from official repositories.
For those who have already installed any of these apps, Experts recommend uninstalling them immediately and performing a full device scan. with a reliable security solution. In certain cases, it may even be necessary to restore the device to factory settings, provided there is certainty that the infection is not present in the firmware. To guide these actions, it is advisable to consult how Remove malware on Android correctly.
Impact in Spain and the rest of Europe
On the global map of infections, Europe occupies a prominent placeCountries like Germany and the Netherlands appear among the territories with the most compromised devices, and Spain is also in the highest risk group, sharing the spotlight with nations such as France, Italy, the United Kingdom and TĂĽrkiye.
In the Spanish case, analysts emphasize that the popularity of Android and the wide range of mid-range and low-end mobile phones They facilitate the expansion of these types of threats. The most economical models, in particular, can present looser quality controls in the supply chain, which increases the likelihood that a counterfeit firmware will reach the end consumer.
Authorities and cybersecurity agencies in Europe have long been warning about the risks associated with devices with modified software or without a clear guarantee of originThe Keenadu case fits perfectly into these concerns, demonstrating that even brand-new devices are not necessarily free from threats.
For companies and public administrations, the problem goes beyond personal privacy. A corporate mobile phone with Keenadu could become a gateway to internal networks, email systems, payment platforms, or critical applications, if the device is regularly used for professional tasks.
In this context, several experts recommend that European organizations establish clear policies for purchasing devicesprioritizing suppliers with strict controls and safety certifications, as well as requiring a detailed inventory of firmware and system apps included in each terminal used within the company.
How to protect your Android phone from Keenadu
Although the origin of Keenadu is often beyond the direct control of the user, There are several measures that can significantly reduce the riskThe first step is to be selective when buying devices, opting for manufacturers and distributors with a good reputation and avoiding, as far as possible, terminals of dubious origin or excessively cheap ones without a clear technical specification sheet.
Experts also emphasize the importance of Keep your operating system and apps always up to dateMany updates include security patches that fix vulnerabilities exploited by this type of malware, so leaving your device out of date can open the door to infections or make it easier for any malicious component already present to operate.
Another key recommendation is install a trusted mobile security solution and perform regular analyses, including, where possible, firmware reviews. These tools can detect suspicious behavior, identify compromised system apps, and suggest specific actions to mitigate the damage.
In case of suspicion, experts advise Review the pre-installed applications and disable any that seem unnecessary. or whose behavior seems strange (excessive battery drain, unusual data traffic, constant presence in the background). If a critical system app is flagged as malicious, the safest course of action is to stop using it and, if the option exists, disable it.
Finally, it is recommended Avoid installing applications from unknown sources Unless strictly necessary, carefully review the permissions requested by each app. Although Keenadu has shown that even official app stores can be vulnerable, reducing exposure to alternative repositories minimizes the attack surface.
The Keenadu case highlights the extent to which Android phones can be compromised from the first time they are turned on.without the user pressing a single button or installing any application on their own. The combination of pre-installed malware, massive ad fraud, and remote control capabilities makes this threat a stark reminder of the need to strengthen security throughout the entire chain, from the factory to the user's pocket, with particular attention to markets like Spain and the rest of Europe, where the impact is already more than evident.
