Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates
Source: The Hacker News
Overview
A new Android backdoor embedded deep into device firmware can silently harvest data and remotely control the device, according to findings from Kaspersky. The Russian cybersecurity vendor discovered the backdoor, dubbed Keenadu, in the firmware of devices from various brands, including Alldocube. The compromise occurs during the firmware‑build phase, and Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to 18 August 2023. In all cases, the backdoor is embedded within tablet firmware, and the firmware files carry valid digital signatures. The names of the other vendors were not disclosed.
“In several instances, the compromised firmware was delivered with an OTA update,” security researcher Dmitry Kalinin said in an exhaustive analysis published today. “A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi‑stage loader granting its operators the unrestricted ability to control the victim’s device remotely.”
Some of the payloads retrieved by Keenadu allow it to hijack the browser’s search engine, monetize new app installs, and stealthily interact with ad elements. One payload has been found embedded in several standalone apps distributed via third‑party repositories as well as official marketplaces like Google Play and Xiaomi GetApps.
Telemetry data suggests that 13,715 users worldwide have encountered Keenadu or its modules, with the majority located in Russia, Japan, Germany, Brazil, and the Netherlands.
Keenadu was first disclosed by Kaspersky in late December 2025, describing it as a backdoor in libandroid_runtime.so, a critical shared library loaded during boot. Once active, it is injected into the Zygote process—a behavior also observed in the Android malware Triada.
The malware is invoked by a function call added to libandroid_runtime.so, after which it checks whether it is running within system apps belonging to Google services or cellular carriers such as Sprint or T‑Mobile. If so, execution is aborted. It also includes a kill‑switch that terminates itself if certain files are found in system directories.
“Next, the Trojan checks if it is running within the system_server process,” Kalinin said. “This process controls the entire system and possesses maximum privileges; it is launched by the Zygote process when it starts.”
If the check succeeds, the malware creates an instance of the AKServer class; otherwise, it creates an instance of AKClient. AKServer contains the core logic and command‑and‑control (C2) mechanism, while AKClient is injected into every launched app and serves as the bridge to AKServer.
This client‑server architecture enables AKServer to execute custom malicious payloads tailored to the targeted app. AKServer also exposes an interface that malicious modules downloaded within other apps can use to grant or revoke permissions to arbitrary apps, obtain the device’s location, and exfiltrate information.
The AKServer component runs a series of checks that cause the malware to terminate if the interface language is Chinese and the device is in a Chinese time zone, or if Google Play Store/Google Play Services are absent. Once the criteria are satisfied, the Trojan decrypts the C2 address and sends encrypted device metadata to the server.
In response, the server returns an encrypted JSON object with payload details. An added check prevents the C2 server from serving any payloads until 2.5 months have elapsed since the initial check‑in.
“The attacker’s server delivers information about the payloads as an object array,” Kaspersky explained. “Each object contains a download link for the payload, its MD5 hash, target app package names, target proces”
The attackers chose Amazon AWS as their CDN provider.
Identified Malicious Modules
- Keenadu loader – Targets popular online storefronts (Amazon, Shein, Temu) to deliver unspecified payloads; suspected of adding items to shopping carts without the victim’s knowledge.
- Clicker loader – Injected into YouTube, Facebook, Google Digital Wellbeing, and Android System Launcher to deliver payloads that interact with advertising elements on gaming, recipes, and news websites.
- Google Chrome module – Hijacks Chrome search requests and redirects them to a different search engine. The hijack may fail if the victim selects an autocomplete suggestion.
- Nova clicker – Embedded within the system wallpaper picker; uses machine‑learning and WebRTC to interact with advertising elements. The same component was codenamed Phantom by Doctor Web in a recent analysis.
- Install monetization – Embedded into the system launcher; monetizes app installations by deceiving advertising platforms into believing an app was installed from a legitimate ad tap.
- Google Play module – Retrieves the Google Ads advertising ID and stores it under the key
S_GA_ID3for likely use by other modules to uniquely identify a victim.
Distribution Vectors
- System‑app embedding – Kaspersky observed the Keenadu loader embedded in various system apps (e.g., facial‑recognition service, system launcher) in the firmware of several devices. This mirrors the tactic of Android malware Dwphon, which was integrated into system apps responsible for OTA updates.
- Pre‑installed backdoor – A Keenadu loader artifact can operate on a system where the
system_serverprocess has already been compromised by a different pre‑installed backdoor that shares similarities with BADBOX. - Trojanized smart‑camera apps – Keenadu has also been propagated via trojanized apps for smart cameras on Google Play.
Affected Apps (Published by Hangzhou Denghong Technology Co., Ltd.)
| App | Package | Downloads |
|---|---|---|
| Eoolii | com.taismart.global | 100,000+ |
| Ziicam | com.ziicam.aws | 100,000+ |
| Eyeplus – Your home in your eyes | com.closeli.eyeplus | 100,000+ |
These apps are no longer available on Google Play, but the developer has published the same set to the Apple App Store. It is unclear whether the iOS counterparts contain Keenadu functionality.
Infrastructure Links
- BADBOX acts as a distribution vector for Keenadu in some cases. Further analysis uncovered connections between Triada and BADBOX, indicating interaction between the botnets.
- In March 2025, HUMAN identified overlaps between BADBOX and Vo1d, an Android malware targeting off‑brand Android‑based TV boxes.
Why Keenadu Is Concerning
- System‑wide execution – Embedded in
libandroid_runtime.so, it runs in the context of every app, granting covert access to all data and rendering Android’s app sandbox ineffective. - Permission bypass – Its ability to bypass OS permission controls turns it into a backdoor that provides attackers unrestricted access and control over the compromised device.
“Developers of pre‑installed backdoors in Android device firmware have always stood out for their high level of expertise,” Kaspersky concluded. “This is still true for Keenadu: the creators have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”
“Keenadu is a large‑scale, complex malware platform that provides attackers with unrestricted control over the victim’s device. Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future the malware may follow in Triada’s footsteps and begin stealing credentials.”
Image
Stay Updated
Found this article interesting? Follow us for more exclusive content:
- Google News –
- Twitter –
- LinkedIn –