A New Android Backdoor Discovered in Device Firmware by Kaspersky
Kaspersky has recently uncovered a new Android backdoor, named Keenadu, embedded deep within device firmware. This backdoor is capable of silently harvesting data and remotely controlling device behavior. The compromised firmware has been found in devices associated with various brands, including Alldocube. The backdoor, detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, is embedded within tablet firmware files with valid digital signatures.
According to security researcher Dmitry Kalinin, the compromised firmware containing Keenadu was delivered with an OTA update. The malware operates as a multi-stage loader, allowing its operators unrestricted remote control over the victim’s device. Some of the payloads retrieved by Keenadu enable it to hijack the browser’s search engine, monetize new app installs, and interact stealthily with ad elements.
Telemetry data suggests that Keenadu has affected 13,715 users globally, with a majority of attacks reported in Russia, Japan, Germany, Brazil, and the Netherlands.
Technical Details of Keenadu Backdoor
Initially disclosed by Kaspersky in late December 2025, Keenadu operates as a backdoor in libandroid_runtime.so, a critical shared library in the Android operating system. Once active on an infected device, the malware is injected into the Zygote process during boot, similar to another Android malware called Triada.
Keenadu consists of a client-server architecture where the AKServer component contains core logic and command-and-control mechanisms, while AKClient is injected into every launched app on the device. This architecture enables tailored malicious payloads to be executed on specific apps and allows for the granting or revoking of permissions, location tracking, and device information exfiltration.
Furthermore, the server sends encrypted JSON objects containing payload details to the malware. The C2 server delays serving payloads for 2.5 months after the initial check-in to evade detection. The payloads are hosted on Amazon AWS to complicate analysis.
Identified Malicious Modules
Some of the identified malicious modules associated with Keenadu include Keenadu loader, Clicker loader, Google Chrome module, Nova clicker, Install monetization, and Google Play module. These modules target popular apps and online platforms to deliver payloads that interact with advertising elements and monetize various activities.
Keenadu Distribution Vectors
Kaspersky identified various distribution vectors for Keenadu, including embedding the loader within system apps, such as facial recognition services and system launchers, in firmware. The malware has also been propagated through trojanized apps for smart cameras on Google Play.
Additionally, connections between Triada, BADBOX, and Keenadu have been observed, indicating interactions between these botnets. The discovery of Keenadu raises concerns due to its embedded nature within libandroid_runtime.so, granting attackers unrestricted access and control over compromised devices.
Overall, Keenadu represents a sophisticated malware platform with the potential for credential theft and other malicious activities in the future. The deep understanding of Android architecture exhibited by its creators underscores the complexity and severity of this threat.
