Multiple brands of Android tablets shipped with built-in malware (Updated: Google statement)

Source: Android Authority

TL;DR

• Researchers found a firmware‑level Android backdoor called Keenadu preinstalled on certain tablets before sale.
• The malware injects into Android’s Zygote process, giving attackers broad control over apps and data on the tablets.
• Google says Android users are automatically protected from known versions of this malware by Google Play Protect.

Update – February 17 2026 (02:35 PM ET)

After the original article was published, a Google spokesperson provided the following statement:

“Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu‑associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified.”

The Kaspersky research highlighted that the Keenadu malware wasn’t found only in firmware builds, and Google further reassured that all three malicious apps identified in the report on Google Play have been removed. To verify that your device is Play Protect certified, you can find out how here.

Original article – February 17 2026 (01:18 PM ET)

Worrying as it may be, most Android malware spreads through shady apps or dodgy downloads, giving users a semblance of autonomy over whether they get infected. Security researchers, however, have uncovered something more unsettling: a backdoor built directly into the firmware of certain Android tablets before they even reached users.

Background

A report highlighted by Help Net Security describes how Kaspersky researchers discovered a new Android backdoor named Keenadu, embedded in the firmware of tablets from multiple manufacturers. Rather than infecting devices after purchase, the malware appears to have been baked into the software during the firmware build process.

Technical details

• Injection point: The backdoor injects itself into Android’s Zygote process, a core system process that launches every app on the device.
• Capabilities: Once active, Keenadu can download additional modules that:
  • Redirect browser searches
  • Track app installs for profit
  • Interact with advertising elements

Operating at this level gives the malware far more reach than a typical malicious app.

Affected devices

One confirmed example involves firmware images for the Alldocube iPlay 50 mini Pro tablet. Researchers found that every version they examined contained the backdoor, including releases issued after the vendor had acknowledged malware reports. The firmware files carried valid digital signatures, suggesting the issue wasn’t caused by post‑release tampering but rather a supply‑chain compromise introduced during software development or build.

Impact and statistics

• Kaspersky reports 13,715 users worldwide have encountered Keenadu or its modules.
• Highest infection numbers are in Russia, Japan, Germany, Brazil, and the Netherlands.
• The threat is linked to other known Android botnet families, including Triada, BadBox, and Vo1d.

Mitigation

This issue does not appear to affect major flagship Android brands (see list of top tablets). The confirmed cases center on lesser‑known tablet manufacturers, many of which have not been publicly named. If you own a budget Android tablet—especially from a smaller or unfamiliar brand—consider the following steps:

1. Check for software updates regularly and install them as soon as they become available.
2. Verify that your device is Play Protect certified (see Google’s instructions above).
3. Stay informed about vendor communications regarding clean firmware releases.