The researchers stated that the threat has already affected users across multiple countries, infecting over 13,000 devices as of February, as detected by Kaspersky. “The highest numbers of the attacked users have been observed in Russia, Japan, Germany, Brazil, and the Netherlands, but other countries have been affected as well,” Kaspersky researchers added in a blog post.
Preinstalled malware runs with elevated privileges
Kaspersky reported that Keenadu can arrive on new devices, already embedded in system software, allowing it to run with high privileges from the moment the device is activated. Because the malicious components are present in firmware rather than installed later as apps, affected users may have limited ability to detect or remove them through conventional means.
“Without any actions on the user side, a device can be infected right out of the box,” Kaspersky security researcher Dmitry Kalinin said through a statement in the blog post. “Vendors likely didn’t know about the supply chain compromise that resulted in Keenadu infiltrating devices, as the malware was imitating legitimate system components. It is important to check every stage of the production process to ensure that device firmware is not infected.”