A popular low-cost Android tablet that is said to be "cheap and high-performance!" However, in February 2026, security company Kaspersky made a shocking announcement. Some cheap tablets were loaded with malware (malicious software) from the factory.
The name is “Keenadu”. This is a backdoor malware that hides in the core of the Android system and does not disappear even after initialization. As of February 2026, more than 13,700 devices around the world have been confirmed to be infected, and Japan is said to be the second most affected country after Russia.
In this article, we will explain in an easy-to-understand manner what Keenadu is, the target devices, how to check if your tablet is infected, and what to do immediately.
What is Keenadu? Why is it “infected at the time of purchase”
Keenadu is a backdoor malware embedded in the core Android library (libandroid_runtime.so). Kaspersky published detailed report on February 17, 2026.
Roughly speaking, it is parasitic on Android's "boot base" itself. On Android, a process called ``Zygote'' is responsible for launching all apps, but Keenadu is able to infiltrate this mechanism and runing all apps on the device.
Moreover, the infected firmware (basic software of the device) has a genuine digital signature. In other words, there is a high possibility that the virus was introduced during the firmware development and build stage, and the infection does not occur because the user installed some suspicious app.
According to Kaspersky's research, the malware's source code leaves behind a developer file path in Chinese (D:\work\git\zh\os\ak-client\), suggesting that it is a coordinated attack.
What happens if you get infected with Keenadu? 3 main damages
Although the term "backdoor" may sound scary, Keenadu's main purpose is advertisement fraud. However, since it is a backdoor, there are risks beyond that.
1. Automatic clicking and display of advertisements
Infected devices click and display advertisements in the background without permission. Because it operates invisible to the user, there are cases where users may notice symptoms such as the battery draining abnormally quickly or a sudden increase in data traffic.
2. Browser search engine changes automatically
Hijacks the browser's default search engine and replaces it with a search service that allows the attacker to make money. Be careful if you feel that the search screen is different from the usual search screen.
3. Collection of personal information/remote control
Since this is a backdoor, an attacker may be able to remotely send commands and manipulate the device. According to BleepingComputer's report, there are also reports of cases in which SNS account information (especially Instagram) is targeted.
Which models are eligible? Summary of influence by manufacturer
As of March 1, 2026, the main manufacturers and models for which infections have been confirmed or reported are as follows. The common feature is that there are many cheap tablets equipped withMediaTek Helio G99 chip.
ALLDOCUBE (4 officially recognized target models)
- iPlay 50 mini Pro (8GB+128GB / 8GB+256GB, Android 13)
- iPlay 60 mini Pro (8GB+128GB, Android 14)
- iPlay 60 Pro (8GB+128GB, Android 14)
- iPlay 70 Pro (6GB+256GB, Android 14)
According to Buzzap!'s report, ALLDOCUBE has announced that it will distribute fixed firmware via OTA update by March 5, 2026.
Headwolf / Alphawolf
- FPad 5 / FPad 5A (with user reports)
- FPad 6 (user reported)
On the other hand, no problems have been confirmed with Titan 1, FPad 7, and FPad 6E. Details are reported in Buzzap! Follow-up.
Other manufacturers
Similar issues have been reported with other budget tablet manufacturers, including Teclast and Hitabt. In the Garumax verification article, infection was also confirmed in Hitabt P30A, which was sold at a fire sale price.
Points: Even if it is not on the list above, if you are using a cheap Chinese tablet (especially one equipped with Helio G99) purchased between 2023 and 2025, we recommend that you check it just in case.
How to check if your tablet is infected
If you're wondering, "Maybe my tablet is also...?", you can check it using the following method.
Method 1: Scan with Dr.Web
The free antivirus app "Anti-virus Dr.Web Light" supports Keenadu detection.
- Install "Dr.Web Light' from Google Play
- Start the app and allow "access to all files" permission
- Update the virus database
- Run "Full Scan"
If "Android.Backdoor.Keenadu" is displayed as the detection name, it is infected.
Method 2: Scan with Kaspersky
Mobile Security from Kaspersky, which first discovered Keenadu, also supports detection. However, it is not distributed on Google Play, so you need to download and install the APK from Kaspersky official website.
Method 3: Check Google Play Protect
Google responded to Android Authority by saying, ``On devices with Play Protect enabled, known Keenadu-related behavior can be detected and disabled.''
- Open Google Play Store
- Tap the profile icon in the top right → “Play Protect”
- Tap “Scan” to run the check
However, there are cases where Play Protect cannot be detected alone, so we recommend using Dr.Web or Kaspersky.
5 things to do if you are infected
Unfortunately, Keenadu is embedded into the core of the system and cannot be removed by normal initialization (factory reset). Please try the following solutions in order.
1. Apply manufacturer updates (highest priority)
ALLDOCUBE plans to distribute revised firmware via OTA by March 5, 2026. Check for updates by going to Settings → System → Software Update. The most reliable solution is to get a fix from the manufacturer.
2. Turn off Wi-Fi until update arrives
Until a fix update is available, it is safe to turn off Wi-Fi and mobile data and disconnect your device from the network. Since Keenadu receives commands via the Internet, damage can be minimized by going offline.
3. Change passwords for important accounts
Please change the passwords for SNS, email, banking apps, etc. that you logged in to on the infected device from another device (smartphone or PC). Be especially careful with Instagram and Google accounts. Let's also set up two-factor authentication.
4. Manually burning clean firmware (for advanced users)
If you can't wait for the manufacturer to fix it, you can download clean firmware from a trusted source and flash it manually using something like SP Flash Tool. However, it is recommended for advanced users as there is a risk that the device will not start if it fails.
5. Consider returns/exchanges
If it has been a while since you purchased the item, or if you are concerned about the manufacturer's response, one option is to contact the place of purchase (Amazon, etc.) about returning or exchanging the item. There have also been reports of Amazon accepting returns due to "problems with the product."
Three points to safely choose a cheap tablet
After this incident, you may be thinking, "I'm too scared to buy cheap tablets..." But not all cheap tablets are dangerous. Here are some tips for choosing safely.
1. Select a Google “Android Enterprise Recommended” certified model
There is a list of devices that Google has certified for businesses as ``meeting security requirements.'' There are many products from major manufacturers such as Samsung, Lenovo, and Xiaomi, so the risk of firmware level tampering is low.
2. Check out Japan's Technical Conformity Mark + Official Sales Channel
Be wary of unknown brands on Amazon etc. where the only ``seller'' is an overseas vendor. Choose a manufacturer that has a reliable official website and support desk.
3. Run a security scan immediately after purchase
When you get a new tablet, make it a habit to run a full scan with Dr.Web or Kaspersky immediately after initial setup. This incident makes it clear that just because you just bought something doesn't mean it's safe.
FAQ
If I have been infected with Keenadu, has my personal information already been leaked?
It's possible. Since Keenadu is a backdoor type, it was able to access data on the device. If infection is confirmed, change your password and set up two-factor authentication from another device. If you have saved your credit card information on your tablet, we recommend that you contact your credit card company.
Will it disappear if I initialize (factory reset)?
It won't disappear. Keenadu is embedded in the firmware (the deepest part of the device's system) and cannot be removed through normal initialization. An update to the corrected firmware provided by the manufacturer is required.
Can smartphones also be infected?
As of March 2026, Keenadu infections are mainly confirmed on tablets. However, Kaspersky reports that related modules were also found in some apps on Google Play, so it is a good idea to run a security scan on your Android smartphone just in case.
What should I do if I don't receive a fix update for ALLDOCUBE?
The firmware will be delivered OTA by March 5, 2026, but if it does not arrive, you may be able to manually download the firmware from ALLDOCUBE's official website. If that doesn't solve the problem, consider returning or exchanging it to the place of purchase.
References
- Keenadu the tablet conqueror and the links between major Android botnets — Kaspersky Securelist, February 17, 2026
- Backdoor malware "Keenadu" mixed in ALLDOCUBE's cheap tablets may cause information leakage — Buzzap!, February 26, 2026
- Is FPad 6 and other devices affected by "Keenadu" malware in Headwolf? — Buzzap!, February 27, 2026
- Multiple brands of Android tablets shipped with built-in malware — Android Authority, February 2026
- New Keenadu backdoor found in Android firmware, Google Play apps — BleepingComputer, February 2026
