CP
cyberpings
Malware & RansomwareHIGH

Malware - Android Devices Ship with Keenadu Firmware Threat

SOSophos News
AndroidKeenaduad fraudmalwarefirmware
🎯

Basically, some Android phones come with hidden malware that helps steal money through ads.

Quick Summary

Keenadu malware is found in Android firmware, allowing attackers to control devices for ad fraud. Affected models include low-cost Android phones. Users should update firmware and monitor for unusual activity.

What Happened

In late February 2026, SophosLabs analysts uncovered a significant threat affecting Android devices. The Keenadu malware was identified as a firmware-level infection, meaning it is embedded deeply within the device's operating system. This malware injects itself into the Zygote process, which is crucial for running all Android applications. As a result, attackers gain total control over infected devices.

Keenadu acts as a downloader for additional malicious modules, targeting various applications. This malware is not just a standalone threat; it facilitates ad fraud by silently generating pay-per-click revenue through background activities. The implications of this malware are severe, as it can affect a wide range of applications from popular storefronts to social media platforms.

Who's Being Targeted

The Keenadu malware primarily targets low-cost Android devices produced by manufacturers such as BLU, Gigaset, and Ulefone. These devices are particularly vulnerable due to their firmware being compromised during the manufacturing phase. As of early March 2026, over 500 unique compromised devices were detected across nearly 50 models, indicating a widespread issue.

The malware's reach is global, with infections reported in 40 countries. This raises concerns for organizations that allow employees to access corporate resources from personal devices, as the malware could expose sensitive data and credentials stored within apps.

Signs of Infection

Identifying infections can be tricky, as Keenadu operates at a firmware level. However, certain system-level APK files like PriLauncher.apk and PriLauncher3QuickStep.apk have been flagged as malicious. These files are integral to the Android operating system, making detection challenging without specific security measures.

Users may notice unusual behavior on their devices, such as unexpected ads or slower performance. If your device is among the affected models, it’s crucial to remain vigilant for signs of infection and take immediate action to protect your data.

How to Protect Yourself

To mitigate the risks associated with Keenadu, users should install updated firmware as soon as it becomes available from their device manufacturers. Until then, organizations should consider restricting access to corporate networks for affected models. Regularly monitor devices for any unusual activity and ensure that security measures are in place.

Sophos recommends following their guidelines outlined in article KBA-000047016 for further protection. Users should also stay informed about any new developments related to this malware to ensure their devices remain secure.

🔒 Pro insight: The integration of Keenadu during the firmware build phase highlights vulnerabilities in the supply chain that need urgent attention.

Original article from

Sophos News

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Android Devices Ship with Firmware-Level Threat

A new firmware-level malware called Keenadu is affecting Android devices. Over 500 devices across 40 countries are compromised, enabling ad fraud. Users should update their firmware to mitigate risks.

Sophos News·
HIGHMalware & Ransomware

Speagle Malware - Hijacks Cobra DocGuard to Steal Data

Cybersecurity experts have flagged Speagle malware, which hijacks Cobra DocGuard to steal sensitive data. Organizations using this software are at risk, highlighting the need for enhanced security measures.

The Hacker News·
HIGHMalware & Ransomware

Malware - DarkSword Tool Exposes Millions of iPhones

A new hacking tool, DarkSword, is being used by Russian hackers to exploit vulnerabilities in older iPhones. Millions of users are at risk of data theft just by visiting compromised websites. Keeping software updated is crucial for protection against this sophisticated malware.

Ars Technica Security·
HIGHMalware & Ransomware

Malware - EDR Killers Exploit Vulnerable Drivers via BYOVD

A new analysis reveals that 54 EDR killers exploit 34 vulnerable drivers using the BYOVD technique. This poses serious risks for organizations, especially during ransomware attacks. Understanding this threat is crucial for enhancing cybersecurity measures.

The Hacker News·
HIGHMalware & Ransomware

Ransomware - Interlock Exploits Cisco Zero-Day Vulnerability

A serious Cisco firewall vulnerability was exploited by the Interlock ransomware group weeks before a patch was released. This poses a major risk to many organizations. Security teams need to act fast to protect their systems from potential compromise.

CSO Online·
HIGHMalware & Ransomware

Android Malware - New Threat Hides in Streaming Apps

A new Android malware named Perseus is hiding in streaming apps to steal passwords and spy on personal notes. Users in Turkey and Italy are primarily affected. This poses a significant risk to personal data security. Stay vigilant and protect your devices.

The Record·