Pre-Installed Malware Found on Android Tablets, Raising Supply Chain Security Concerns
A sophisticated backdoor dubbed “Keenadu” is pre-installed on certain Android tablets, potentially compromising user data and device security. Security researchers at Kaspersky have uncovered the malware, which appears to be embedded in the firmware before devices are even sold. This discovery raises serious questions about the integrity of the Android supply chain and highlights the vulnerabilities inherent in pre-installed software. The situation is prompting concern among cybersecurity experts and users alike, as the malware grants attackers extensive access to compromised devices.
The Keenadu backdoor operates by integrating itself into the Zygote process, a core component of Android responsible for launching applications. This strategic positioning allows the malware to intercept and manipulate app behavior, potentially enabling attackers to load malicious modules, redirect search queries, and track app installations for advertising purposes. The implications are far-reaching, as the malware can effectively compromise any app launched on the infected device. Kaspersky’s investigation suggests a deliberate compromise within the development or build process, rather than a widespread, opportunistic attack.
The discovery underscores a growing trend of malware being pre-installed on devices, often bypassing traditional security measures. This tactic makes detection and removal significantly more challenging, as the malware is present from the moment the device is powered on. While Google has implemented security features like Google Play Protect, these defenses are often reactive, addressing threats after they have emerged. Pre-installed malware represents a proactive threat, requiring a more robust and preventative approach to supply chain security.
How Keenadu Operates and What it Can Do
According to Kaspersky, Keenadu is a multifaceted piece of malware capable of a range of malicious activities. By embedding itself within the Zygote process, it gains a privileged position within the Android operating system. This allows it to intercept system calls and manipulate the behavior of applications as they launch. Specifically, Keenadu can:
- Load additional modules: The malware can download and execute further malicious code, expanding its capabilities and potentially introducing fresh threats.
- Redirect search queries: Attackers can manipulate search results, directing users to phishing websites or malicious content.
- Track app installations: Keenadu can monitor which apps users install, potentially for advertising fraud or data collection purposes.
- Gain comprehensive access: The malware’s deep integration into the system grants attackers a significant level of control over the compromised device.
Affected Devices and Geographic Distribution
Kaspersky identified the Alldocube iPlay 50 mini Pro tablet as one example of a device with the Keenadu backdoor present in its firmware, even with valid signatures. This suggests the compromise occurred during the manufacturing or build process, rather than through a user-initiated download or installation. The researchers have reported that approximately 13,715 users globally have encountered Keenadu or its associated modules. The highest concentrations of affected users are located in Russia, Japan, Germany, Brazil, and the Netherlands, according to Kaspersky’s data. Still, the full extent of the infection remains unclear, and it is likely that other devices and regions are also affected.
Google’s Response and Mitigation Efforts
Google has acknowledged the reports of the Keenadu backdoor and has taken steps to mitigate the threat. The company stated that known variants of the malware are automatically blocked by Google Play Protect, its built-in malware protection system. Google has removed three reported applications associated with Keenadu from the Google Play Store. Android Authority reports that Google is continuing to investigate the issue and work with device manufacturers to address the underlying vulnerabilities.
While Google Play Protect offers a layer of defense, it is not foolproof. Pre-installed malware like Keenadu can bypass these protections if it is deeply embedded within the system firmware. It is crucial for device manufacturers to prioritize security throughout the entire supply chain, from component sourcing to final assembly.
The Broader Implications for Android Security
The Keenadu incident highlights the growing challenges facing Android security. The open-source nature of Android, while offering flexibility and customization, also creates opportunities for malicious actors to introduce vulnerabilities. The fragmented Android ecosystem, with numerous device manufacturers and varying levels of security updates, further complicates the situation. According to Statista, Android held approximately 71.5% of the global mobile operating system market share in January 2024, making it a prime target for attackers. Statista
The discovery of Keenadu also raises concerns about the security of the Android supply chain. If attackers can compromise the firmware of devices before they are even sold, it becomes significantly more tough to protect users. This requires a collaborative effort between Google, device manufacturers, and component suppliers to implement robust security measures at every stage of the process. This includes secure boot mechanisms, firmware integrity checks, and regular security audits.
Android Tablet Market Overview
Android currently powers between 45 and 50 percent of all tablets worldwide, with Apple’s iOS/iPadOS leading the market with approximately 55 to 56 percent market share. Android dominates the non-Apple tablet market due to the availability of affordable and diverse devices from manufacturers like Samsung, Lenovo, and Xiaomi. The global tablet market experienced around 10 percent growth in 2025, reaching approximately 162 million units sold, as reported by Electronics Weekly. Android tablets are particularly benefiting from this growth, especially in price-sensitive regions such as Asia, Latin America, and Africa.
What Users Can Do to Protect Themselves
While the Keenadu backdoor is a serious threat, You’ll see steps users can accept to mitigate their risk:
- Keep your device updated: Install the latest security updates from your device manufacturer as soon as they become available.
- Install a reputable mobile security app: A mobile security app can provide an additional layer of protection against malware and other threats.
- Be cautious about app permissions: Carefully review the permissions requested by apps before installing them.
- Avoid sideloading apps: Only download apps from trusted sources, such as the Google Play Store.
- Consider a factory reset: If you suspect your device may be infected, a factory reset can remove the malware, but will also erase all data on the device. Back up important data before performing a factory reset.
The Keenadu backdoor serves as a stark reminder of the evolving threat landscape facing Android users. Proactive security measures, combined with a vigilant approach to app installations and device updates, are essential for protecting against these emerging threats. The incident also underscores the require for greater transparency and accountability within the Android supply chain to ensure the security of devices from the moment they are manufactured.
Google is expected to provide further updates on its investigation and mitigation efforts in the coming weeks. Users are encouraged to stay informed and follow the latest security recommendations from Google and other cybersecurity experts. The ongoing efforts to address the Keenadu threat will be crucial in maintaining the security and integrity of the Android ecosystem.