Overview
- Kaspersky’s analysis shows Keenadu is inserted into libandroid_runtime.so and injects via the Zygote process so it runs inside every app.
- Keenadu spreads through signed OTA firmware, preinstalled and system apps, third‑party downloads, and apps on Google Play and Xiaomi GetApps that have since been removed.
- Impacted hardware includes Alldocube iPlay 50 mini Pro tablets, with validated firmware signatures indicating build‑phase insertion rather than post‑release tampering.
- While currently used largely for ad fraud—such as clickers, search hijacking, and install monetization—the platform can silently install APKs, abuse permissions, and enable full device takeover.
- Kaspersky reports roughly 13,000–13,715 detections worldwide; vendors have been notified, Google says Play Protect blocks known variants, and remediation may require clean firmware flashes or device replacement.