New Keenadu backdoor found in Android firmware, Google Play apps
Source: Bleeping Computer
Overview
A newly discovered and sophisticated Android malware called Keenadu has been found embedded in firmware from multiple device brands, enabling it to compromise all installed applications and gain unrestricted control over infected devices.
According to a report from cybersecurity company Kaspersky, Keenadu has multiple distribution mechanisms, including:
- Compromised firmware images delivered over‑the‑air (OTA)
- Delivery via other backdoors
- Embedding in system apps
- Modified apps from unofficial sources
- Apps on Google Play
There are several variants of Keenadu, each with its own set of capabilities. The most potent is the firmware‑based version.
Scope of infection
As of February 2026, Kaspersky has confirmed 13,000 infected devices, many located in Russia, Japan, Germany, Brazil, and the Netherlands.
The researchers compare Keenadu to Triada, another Android malware family spotted in counterfeit devices last year.
Firmware‑integrated variant
- Does not activate if the device language or timezone is associated with China.
- Stops functioning if the Google Play Store and Play Services are not present.
Although the operators are currently focused on ad‑fraud operations, Kaspersky notes that the malware’s capabilities go far beyond, enabling broad‑range data theft and risky actions on the compromised device.
“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.
“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”
“All information on the device—including media, messages, banking credentials, location, etc.—can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.
System‑app variant
The variant embedded in system apps is more limited, but its elevated privileges allow it to install any app without alerting the user. Kaspersky researchers found the malware embedded in a system app for facial recognition, typically used for unlocking the device and other authentication actions.
Google Play presence
The malware was also discovered in smart‑home camera apps on Google Play that had 300,000+ downloads but are no longer available in the official store.
Keenadu loader apps on Google Play
Source: Kaspersky
When opened, these apps launched invisible web‑browser tabs within the host app, navigating to websites in the background. Kaspersky notes that this behavior resembles activity seen in APKs discovered by Dr.Web earlier this year (source).
Firmware infection in tablets
Keenadu is present in the firmware of Android tablets from multiple manufacturers. For example, the Alldocube iPlay 50 mini Pro (T811M) tablet contained malicious firmware dated 18 August 2023. After a customer reported in March 2024 that Alldocube’s OTA server had been compromised, the company acknowledged “a virus attack through OTA software” but did not disclose further details.
Technical analysis
Kaspersky published a detailed technical analysis of the Keenadu backdoor, explaining how the malware compromises the libandroid_runtime.so component—a core library in the Android system—allowing it to operate “within the context of every app on the device.”
Mitigation and recommendations
- Because the malware is embedded deeply in the firmware, it cannot be removed using standard Android OS tools.
- Users should find and install a clean firmware version for their device.
- Installing firmware from a reputable third‑party is an alternative, though it carries a risk of bricking the device if incompatible.
- The safest option is to stop using the compromised device and replace it with a product from trusted vendors and authorized distributors.
