A new Android backdoor built deep into a device’s firmware can silently collect data and remotely control its operations, according to new findings from Kaspersky Lab.
A Russian cybersecurity vendor announced that it discovered a backdoor called Keenadu in the firmware of devices associated with various brands, including Alldocube, and that the breach occurred during the firmware construction stage. Keenadu was detected on Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. In both cases, the backdoor is embedded within the tablet’s firmware, and the firmware file contains a valid digital signature. The names of the other vendors were not disclosed.
“In some cases, compromised firmware was delivered via OTA updates,” security researcher Dmitry Kalinin said in a thorough analysis published today. “A copy of the backdoor is loaded into the address space of every app upon startup. The malware is a multi-stage loader, giving the operator the ability to remotely control the victim’s device without restriction.”
Some of the payloads obtained by Keenadu allow it to hijack browser search engines, monetize new app installs, and covertly interact with advertising elements. One of the payloads was found embedded in multiple standalone apps distributed through third-party repositories and official app marketplaces such as Google Play and Xiaomi GetApps.
According to telemetry data, 13,715 users around the world have encountered Keenadu or its modules, with the majority of users located in Russia, Japan, Germany, Brazil, and the Netherlands being attacked by this malware.
Keenadu was first disclosed by Kaspersky Lab in late December 2025 and was described as a backdoor to libandroid_runtime.so, a critical shared library in the Android operating system that is loaded at startup. Once activated on an infected device, it injects itself into the Zygote process. This behavior is also observed in another Android malware called Triada.
The malware is invoked by a function call added to libandroid_runtime.so, which then checks to see if the malware is running within a Google service or a system app belonging to a mobile carrier such as Sprint or T-Mobile. If so, execution is aborted. It also has a kill switch that terminates itself if it finds a file with a specific name in the system directory.
“Next, the Trojan checks whether it is running within the system_server process,” Kalinin said. “This process has system-wide control and maximum privileges. It is started when the Zygote process starts.”
If this check is true, the malware starts creating instances of the AKServer class. Otherwise, create an instance of the AKClient class. The AKServer component contains the core logic and command-and-control (C2) mechanism, and the AKClient is injected into every app launched on the device and acts as a bridge for interacting with AKServer.
This client-server architecture allows AKServer to execute custom malicious payloads tailored to the specific targeted app. AKServer also exposed another interface that malicious modules downloaded within the context of other apps can use to grant or revoke permissions to any app on the device, obtain current location, and leak device information.
The AKServer component is designed to perform a series of checks to terminate malware if the interface language is Chinese and the device is in a Chinese time zone, or if the Google Play Store or Google Play Services are not present on the device. Once the necessary criteria are met, the Trojan decrypts the C2 address and sends the device’s metadata in encrypted form to the server.
In response, the server returns an encrypted JSON object containing details about the payload. However, in what appears to be an attempt to complicate analysis and evade detection, additional checks built into the backdoor prevent the C2 server from serving the payload until 2.5 months after the initial check-in.
“The attacker’s server delivers information about the payload as an object array,” Kaspersky explained. “Each object contains the payload download link, its MD5 hash, the target app’s package name, the target process name, and other metadata. Of note is that the attackers chose Amazon AWS as their CDN provider.”
Some of the identified malicious modules are listed below.
The Keenadu loader targets popular online stores such as Amazon, Shein, and Temu and delivers unspecified payloads. However, it is suspected that it allows victims to add items to the app’s shopping cart without their knowledge. clicker loader. It is inserted into YouTube, Facebook, Google Digital Wellbeing, and the Android system launcher to deliver a payload that can interact with advertising elements on gaming, recipe, and news websites. Google Chrome module. It targets Chrome browsers to hijack search requests and redirect them to another search engine. However, note that the hijacking attempt may fail if the victim selects an option from the autocomplete suggestions based on keywords typed in the address bar. Nova clicker. It is embedded within the system’s wallpaper picker and uses machine learning and WebRTC to interact with advertising elements. The same component was codenamed Phantom in an analysis published by Doctor Web last month. Install monetization. Built into system launchers, it monetizes app installs by tricking advertising platforms into believing the app was installed from a legitimate ad tap. Google Play module. It obtains the Google Ads advertising ID and stores it in the key “S_GA_ID3”, which may be used by other modules to uniquely identify the victim.
Kaspersky said it has also identified other Keenadu distribution vectors, including embedding the Keenadu loader within various system apps such as facial recognition services and system launchers, and including the Keenadu loader in the firmware of some devices. This tactic was observed in another Android malware known as Dwphon, which was integrated into a system app responsible for OTA updates.
The second method involves the Keenadu loader artifact, which is designed to operate within systems where the system_server process has already been compromised by another pre-installed backdoor that shares similarities with BADBOX. That’s not all. Keenadu has also been found propagating through smart camera trojanized apps on Google Play.
The name of the app published by developer: Hangzhou Denghong Technology Co., Ltd. is:
Eoolii (com.taismart.global) – 100,000+ downloads Ziicam (com.ziicam.aws) – 100,000+ downloads Eyeplus – The Home in Your Eyes (com.closeli.eyeplus) – 100,000+ downloads
These apps are no longer available for download from Google Play, but the developer has also published the same set of apps on the Apple App Store. It is unclear whether the iOS version includes Keenadu functionality. Hacker News has reached out to Kaspersky for comment and will update the article if we hear back. That said, Keenadu is believed to be primarily designed to target Android tablets.
Further analysis also revealed infrastructure connections between Triada and BADBOX, as BADBOX acts as a distribution vector for Keenadu in some cases, indicating that these botnets are interacting with each other. In March 2025, HUMAN announced that it had identified overlap between BADBOX and Vo1d, an Android malware that targets unbranded Android-based TV boxes.
Keenadu’s discovery is troubling for two main reasons.
When malware is embedded in libandroid_runtime.so, it runs within the context of all apps on the device. This allows secret access to all data and disables sandboxing of Android apps. This malware has the ability to bypass the permissions used to control app permissions within the operating system, turning it into a backdoor that allows attackers unfettered access and control over a compromised device.
“The developers of backdoors pre-installed in the firmware of Android devices have always distinguished themselves with their high level of expertise,” Kaspersky concluded. “This is also true for Keenadu. The malware authors have a deep understanding of Android architecture, the app launch process, and the core security principles of the operating system.”
“Keenadu is a large and complex malware platform that provides attackers with unrestricted control over victims’ devices. Currently, our evidence indicates that this backdoor is primarily used for various types of ad fraud, but we do not exclude the possibility that malware may follow in Triada’s footsteps and begin stealing credentials in the future.”
Source link
