Multiple brands of Android tablets shipped with built-in malware (Updated: Google statement)

Update, February 17, 2026 (02:35 PM ET): After the publication of the original article below, a Google spokesperson reached out to us with the following statement:

“Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified.”

The Kaspersky research highlighted that the Keenadu malware wasn’t found only in firmware builds, and Google further reassured us that all three malicious apps identified in the report on Google Play have been removed. If you want to double-check that your device is Google Play Protect certified, you can find out how here.

Original article, February 17, 2026 (01:18 PM ET):  Worrying as it may be, at least most Android malware spreads through shady apps or dodgy downloads, giving you a semblance of autonomy over whether you get infected by it or not. But security researchers say they’ve found something more unsettling: a backdoor built directly into the firmware of certain Android tablets before they even reached users.

According to a report highlighted by Help Net Security, Kaspersky researchers uncovered a new Android backdoor named Keenadu, embedded in the firmware of tablets from multiple manufacturers. Rather than infecting devices after purchase, the malware appears to have been baked into the software of the tablets from the start during the firmware build process.

Once active, the backdoor injects itself into Android’s Zygote process, which is a core system process that launches every app on your device. That gives whoever is controlling it sweeping visibility and control across the system. Researchers say Keenadu can download additional modules capable of redirecting browser searches, tracking app installs for profit, and interacting with advertising elements. Operating at this level gives it far more reach than a typical malicious app.

One confirmed example involves firmware images for the Alldocube iPlay 50 mini Pro tablet. Researchers said every version they examined contained the backdoor, including releases issued after the vendor had acknowledged malware reports. The firmware files carried valid digital signatures, suggesting the issue wasn’t caused by someone tampering with updates after the fact. Instead, the evidence points to a supply-chain compromise, meaning malicious code was likely introduced at some point during the software development or build process.

Kaspersky says 13,715 users worldwide have encountered Keenadu or its modules, with the highest numbers recorded in Russia, Japan, Germany, Brazil, and the Netherlands. The company also linked the threat to other known Android botnet families, including Triada, BadBox, and Vo1d.

Scary as it sounds, this doesn’t appear to be an issue affecting major flagship Android brands. The confirmed example centers on a lesser-known tablet manufacturer, and most affected vendors have not been publicly named. If you own a budget Android tablet — especially from a smaller or unfamiliar brand — it’s worth checking for software updates and installing them as soon as they become available. Researchers say vendors have been notified and are likely working on clean firmware updates.