Android devices ship with firmware-level malware

In late February 2026 SophosLabs identified Keenadu, a firmware-level Android backdoor embedded in libandroid_runtime.so and trojanized system launchers (PriLauncher.apk / PriLauncher3QuickStep.apk) on low-cost devices across roughly 50 models and 40 countries; Keenadu injects into the Zygote process to run inside every app, acts as a downloader for modules (clickers, ad-fraud, browser targeting), and is attributed to a build-phase supply-chain compromise; the report includes IOCs (file hashes, C2 domains and IPs), impacted manufacturers, and mitigation guidance including firmware updates and restricting affected models from corporate networks.