Malware - Android Devices Ship with Firmware-Level Threat
Basically, some Android devices come with hidden malware that lets hackers control them.
A new firmware-level malware called Keenadu is affecting Android devices. Over 500 devices across 40 countries are compromised, enabling ad fraud. Users should update their firmware to mitigate risks.
What Happened
In late February 2026, SophosLabs analysts uncovered a serious threat affecting Android devices. Keenadu, a firmware-level malware, was detected, allowing attackers to gain full control over infected devices. This malware is embedded in the libandroid_runtime.so library, which is essential for running all Android applications. By injecting itself into the Zygote process, Keenadu spreads across every app on the device, making it a pervasive threat.
Keenadu acts as a downloader for additional malicious modules, targeting various applications. Notably, it has been linked to ad fraud, where it silently connects to websites to generate revenue for attackers. This malware is particularly dangerous because it was integrated into the firmware during the build phase, indicating a supply chain compromise rather than a typical infection through software updates.
Who's Being Targeted
The malware primarily affects low-cost Android devices from manufacturers like Allview, BLU, and Ulefone. Reports indicate that over 500 unique compromised devices have been identified across nearly 50 different models. The infections have been detected globally, spanning 40 countries. This widespread impact raises significant concerns, especially for organizations that allow employees to access corporate networks via personal devices.
The targeted applications include popular platforms like YouTube, Facebook, and e-commerce sites such as Amazon and Shein. Keenadu's ability to execute ad fraud through these apps makes it a lucrative tool for cybercriminals.
Signs of Infection
Indicators of Keenadu infection include the presence of two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. These files are located in system directories and have been flagged as malicious. The malware can also be detected through specific hashes associated with the infected firmware. Users may not notice any immediate symptoms, but the presence of these files is a clear sign of compromise.
Organizations should be vigilant, as the malware can expose sensitive corporate data through apps on infected devices. The risk is heightened if employees use these devices to access work-related information.
How to Protect Yourself
To mitigate the risks posed by Keenadu, users are advised to install updated firmware as soon as it becomes available from their device manufacturers. Until then, organizations should consider restricting access to corporate networks for affected device models. Sophos recommends following their guidelines for detection and response, which include monitoring for known indicators of compromise.
Awareness and proactive measures are crucial in combating this malware threat. Users should regularly check for firmware updates and be cautious about the apps they install. By staying informed and vigilant, individuals and organizations can better protect themselves against the evolving landscape of mobile malware threats.
Sophos News