A new piece of malware, dubbed KeenaduIt has put thousands of Android phones worldwide under suspicion. The threat is especially worrying because it can sneak into the device long before the user takes it out of the box, taking advantage of weak points in the manufacturing and distribution chain.
The investigations carried out by cybersecurity specialists They indicate that Keenadu has already affected more than 13.000 devices globally as of February 2026, with a notable impact in Latin AmericaAlthough public data details mainly the impact in countries like Brazil, these types of campaigns tend to spread easily to other regions, so the risk is also relevant for users in Spain and the rest of Europe.
What is Keenadu and why is it so worrying?
Keenadu is a Malware designed for Android It is characterized by its flexibility and the depth of access it can provide within the system. Its primary use is focused on the advertising fraudThe attackers use infected devices to generate fake clicks on ads, earn money illegally, and consume terminal resources without the owner noticing.
However, some variants of Keenadu go far beyond simply displaying or clicking ads covertly. In its more advanced forms, the malware can take almost total control of the device, modify already installed applications, download new ones without permission, and even grant them all the necessary permissions to operate without restrictions.
This extensive control means that attackers can access highly sensitive information. A modern mobile phone stores virtually all of a user's digital life: from personal files and photos even conversations, bank credentialslocation data and browsing habits. The fact that malicious software can manage all of this from within the system makes it a particularly serious threat.
Experts also warn that this type of campaign erodes one of the few certainties the average user had left: the idea that a New terminal comes from factory cleanIf the device arrives infected from the supplier or manufacturer, the usual good practices (downloading only from trusted sources, not opening suspicious attachments, etc.) are no longer sufficient to contain the problem.
Keenadu pre-installed in the device firmware
One of the most unsettling aspects of Keenadu is that, in some cases, it has become directly integrated into the device firmwareThat is, in the internal system that controls the phone's basic operation. This puts Keenadu in the same league as other known backdoors found embedded in devices during the manufacturing or distribution process.
When malware infiltrates this deep layer, the mobile device can be compromised from the very first second. restore factory settings Neither deleting all user data solves the problem, because The rear door remains within the system itself.In this position, Keenadu has more than enough capabilities to manipulate almost any component of the software.
Among the possible actions in this scenario are the modification of existing applications, the Silent installation of new apps and the automatic granting of permissions to these malicious programs. This allows cybercriminals to covertly access the services that are of greatest interest from an economic or espionage perspective.
The exposed information isn't limited to emails or documents: messages, location history, online banking login details, and any other content the user regularly handles on their smartphone are also affected. Some analyses have even observed that Keenadu Monitors searches performed in Chrome, including those done in incognito mode, which dismantles the false sense of privacy of that function.
The malware's behavior varies depending on certain device conditions, revealing that it is programmed with strategies to remain undetected. For example, Keenadu has been observed It does not activate if the system language It is configured in certain Chinese dialects or if the time zone corresponds to China. This type of filtering suggests that the attackers intend to avoid certain territories, perhaps to circumvent specific legal or technical controls.
Similarly, the malicious code has proven to be selective regarding the presence of Google services. If the terminal does not have Google Play Store or Google Play ServicesSome variants of Keenadu choose not to run. This aligns with its focus on ad fraud and the need to operate in environments where the Google platform plays a central role.
Infection through system applications
Not all Keenadu variants are hidden in the firmware; some are integrated into system apps These apps come pre-installed on the device and have elevated permissions. Although their ability to spread is somewhat more limited in this case, the risk remains considerable.
In this mode, the malware doesn't have the same freedom to infect any application on the phone, but the fact that it resides in an app with elevated privileges allows it, for example, install other applications without notifying the userIn this way, a network of malicious components is created that collaborate with each other to exploit the device.
Researchers' analysis indicates that Keenadu appeared embedded in a system application responsible for [unclear - possibly "the system" or "the system"]. This raises a particularly sensitive issue, as it could allow unauthorized access to the user's biometric data, a type of information that, unlike a password, cannot be changed if compromised.
In other affected models, the malware has been found hidden in the application of starting screenThat is, the layer that manages the desktop, icons, and application access. From this position, Keenadu can observe much of the user's daily activity and deploy additional functionalities without raising suspicion, as it disguises itself as an essential system component.
Google Play apps and other Android stores
In addition to system-level infections, cases have been identified where Keenadu was distributed through applications available on Google Play and in other Android stores. One of the detected campaigns affected apps designed to control smart home cameras, which had accumulated more than 300.000 downloads before being removed.
These types of applications promised to manage home cameras, but once installed they could Open web pages in the background without the user's knowledge. From these pages, the attackers generated fake clicks on ads and carried out covert activities that consumed data, battery, and device resources.
Similar situations had already been seen in apps distributed outside of official stores, but the presence of such versatile malware in platforms considered trustworthy As Google Play demonstrates, no repository is completely infallible. Automatic store filters make life difficult for cybercriminals, but they are constantly seeking new ways to hide malicious code within seemingly legitimate features.
For European users, where the use of smart cameras and other connected devices in the home is booming, this scenario is especially troubling. An app designed to monitor the house or check a baby monitor can end up becoming an entry point for large-scale advertising fraud and for silent monitoring of device activity.
The swift removal of the affected apps from Google Play demonstrates that, once a threat is detected, the platforms react. However, the fact that they accumulated hundreds of thousands of downloads before being removed suggests that the damage was already done for a significant number of users.
Global impact and risk for users in Spain and Europe
According to data collected by mobile security solutions, more than 13.000 Android devices have been identified as infected by Keenadu up to February 2026. The highest concentration of cases has been observed in Latin America, with Brazil leading the way, but the nature of the Android ecosystem makes geographical boundaries relative.
Many manufacturers that sell in Latin America also market similar or identical models in european marketswhether under the same brand or with slight variations. Therefore, even if a malware campaign is initially detected in a specific region, it is common to see cases over time in other countries where the same devices are used or the same applications are downloaded.
In Europe, and specifically in Spain, the rise of mid-range and low-end mobile phones from lesser-known manufacturers The risk of exposure increases if the supply chain is not properly controlled. When the top priority is cutting costs, firmware security and the review of pre-installed apps can become secondary concerns.
The impact of Keenadu is not limited to a number of infected devices. What's at stake is the trust in the Android ecosystem and in the agreements between manufacturers, distributors, and software developers. If a user cannot trust that the new phone they buy in a store will be clean, the relationship between consumer and technology suffers.
Analysts insist that this is not just an isolated problem, but a symptom of a structural challenge: the entire technology supply chain It must strengthen its controls to prevent software manipulation before it reaches the market. This involves more rigorous audits, firmware validations, and, in some cases, rethinking agreements with third parties involved in the device customization process.
Recommendations to protect your Android phone
In a scenario where a device can be compromised from the factory or become infected through seemingly reliable apps, protecting the end user involves combining prudent habits and security toolsAlthough there is no foolproof recipe, there are measures that significantly reduce the risk.
The first recommendation is pay attention to the origin of the deviceWhenever possible, it is advisable to buy mobile phones from official stores or authorized distributors, avoiding channels of dubious origin, gray imports or extremely cheap terminals without clear information about their manufacturer and support.
It is also crucial to maintain both the operating system and the applications. always updatedMany updates include patches that fix vulnerabilities that can be exploited by threats like Keenadu. Ignoring these warnings out of convenience or lack of time leaves the door open for malware to exploit known flaws.
Another important layer of defense is having a mobile security solution Trusted. Android protection tools can detect suspicious behavior, block malicious apps, and perform regular scans for hidden threats, even when they operate in the background and try to blend in with the rest of the system.
Furthermore, it is advisable to review the permissions requested by the applicationsEspecially those from little-known developers or with few reviews. If a flashlight app constantly requests access to your camera, microphone, and location, for example, it might not be a good idea to keep it installed.
It is also advisable to monitor the overall behavior of the device: a sudden increase in data consumptionA battery that drains abnormally or a mobile phone that overheats for no apparent reason can be clues that something is running in the background without your knowledge, including the possibility of a malware infection.
Taken together, what happened with Keenadu reflects just how valuable a smartphone can be as a target for cybercriminals. Between silent ad fraud, deep system access, and manipulation of firmware or system apps, the scope for abuse is vast. That's why, Choose the right device, keep up to date with updates And relying on specialized security solutions has become almost as important as looking at the camera or storage capacity when buying a new Android phone.
