TL;DR
- Researchers found a firmware-level Android backdoor called Keenadu preinstalled on certain tablets before sale.
- The malware injects into Android’s Zygote process, giving attackers broad control over apps and data on the tablets.
- Google says that Android users are automatically protected from known versions of this malware by Google Play Protect.
Update, February 17, 2026 (02:35 PM ET): After the publication of the original article below, a Google spokesperson reached out to us with the following statement:
“Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified.”