A brand new Android backdoor that is embedded deep into the system firmware can silently harvest information and remotely management its conduct, in accordance with new findings from Kaspersky.
The Russian cybersecurity vendor mentioned it found the backdoor, dubbed Keenadu, within the firmware of gadgets related to varied manufacturers, together with Alldocube, with the compromise occurring throughout the firmware construct section. Keenadu has been detected in Alldocube iPlay 50 mini Professional firmware relationship again to August 18, 2023. In all circumstances, the backdoor is embedded inside pill firmware, and the firmware information carry legitimate digital signatures. The names of the opposite distributors weren’t disclosed.
“In several instances, the compromised firmware was delivered with an OTA update,” safety researcher Dmitry Kalinin mentioned in an exhaustive evaluation printed as we speak. “A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim’s device remotely.”
A number of the payloads retrieved by Keenadu permit it to hijack the search engine within the browser, monetize new app installs, and stealthily work together with advert components. One of many payloads has been discovered embedded in a number of standalone apps distributed by way of third-party repositories, in addition to official app marketplaces like Google Play and Xiaomi GetApps.
Telemetry information means that 13,715 customers worldwide have encountered Keenadu or its modules, with nearly all of the customers attacked by the malware situated in Russia, Japan, Germany, Brazil, and the Netherlands.
Keenadu was first disclosed by Kaspersky in late December 2025, describing it as a backdoor in libandroid_runtime.so, a crucial shared library within the Android working system that is loaded throughout boot. As soon as it is lively on an contaminated system, it is injected into the Zygote course of, a conduct additionally noticed in one other Android malware known as Triada.
The malware is invoked via a perform name added to the libandroid_runtime.so, following which it checks if it is operating inside system apps belonging both to Google companies or to mobile carriers like Dash or T-Cell. If that’s the case, the execution is aborted. It additionally has a kill swap to terminate itself if it finds information with sure names in system directories.
“Next, the Trojan checks if it is running within the system_server process,” Kalinin mentioned. “This process controls the entire system and possesses maximum privileges; it is launched by the Zygote process when it starts.”
If this examine is true, the malware proceeds to create an occasion of the AKServer class. In any other case, it creates an occasion of the AKClient class. The AKServer part accommodates the core logic and command-and-control (C2) mechanism, whereas AKClient is injected into each app launched on the system and serves because the bridge for interacting with AKServer.
This client-server structure allows AKServer to execute customized malicious payloads tailor-made to the particular app it has focused. AKServer additionally uncovered one other interface that malicious modules downloaded inside the contexts of different apps can use to grant or revoke permissions to/from an arbitrary app on the system, get the present location, and exfiltrate system data.
The AKServer part can be designed to run a sequence of checks that trigger the malware to terminate if the interface language is Chinese language and the system is situated inside a Chinese language time zone, or if Google Play Retailer or Google Play Companies are absent from the system. As soon as the mandatory standards are glad, the Trojan decrypts the C2 deal with and sends system metadata in encrypted format to the server.
In response, the server returns an encrypted JSON object containing particulars in regards to the payloads. Nonetheless, in what seems to be an try to complicate evaluation and evade detection, an added examine constructed into the backdoor prevents the C2 server from serving any payloads till 2.5 months have elapsed for the reason that preliminary check-in.
“The attacker’s server delivers information about the payloads as an object array,” Kaspersky defined. “Each object contains a download link for the payload, its MD5 hash, target app package names, target process names, and other metadata. Notably, the attackers chose Amazon AWS as their CDN provider.”
A number of the recognized malicious modules are listed under –
- Keenadu loader, which targets in style on-line storefronts like Amazon, Shein, and Temu to ship unspecified payloads. Nonetheless, it is suspected that they make it doable so as to add objects to the apps’ procuring carts with out the sufferer’s information.
- Clicker loader, which is injected into YouTube, Fb, Google Digital Wellbeing, and Android System launcher to ship payloads that may work together with promoting components on gaming, recipes, and information web sites.
- Google Chrome module, which targets the Chrome browser to hijack search requests and redirect them to a unique search engine. Nonetheless, it is price noting that the hijacking try might fail if the sufferer selects an choice from the autocomplete options based mostly on key phrases entered within the deal with bar.
- Nova clicker, which is embedded inside the system wallpaper picker and makes use of machine studying and WebRTC to work together with promoting components. The identical part was codenamed Phantom by Physician Internet in an evaluation printed final month.
- Set up monetization, which is embedded into the system launcher and monetizes app installations by deceiving promoting platforms into believing that an app was put in from a reliable advert faucet.
- Google Play module, which retrieves the Google Adverts promoting ID and shops it below the important thing “S_GA_ID3” for possible use by different modules for uniquely figuring out a sufferer.
Kaspersky mentioned it additionally recognized different Keenadu distribution vectors, together with by embedding the Keenadu loader inside varied system apps, such because the facial recognition service and system launcher, within the firmware of a number of gadgets. This tactic has been noticed in one other Android malware often known as Dwphon, which was built-in into system apps accountable for OTA updates.
A second technique considerations a Keenadu loader artifact that is designed to function inside a system the place the system_server course of had already been compromised by a unique pre-installed backdoor that shares similarities with BADBOX. That is not all. Keenadu has additionally been found being propagated by way of trojanized apps for good cameras on Google Play.
The names of the apps, which had been printed by a developer named Hangzhou Denghong Expertise Co., Ltd., are as follows –
- Eoolii (com.taismart.world) – 100,000+ downloads
- Ziicam (com.ziicam.aws) – 100,00+ downloads
- Eyeplus-Your property in your eyes (com.closeli.eyeplus) – 100,000+ downloads
Whereas these apps are now not out there for obtain from Google Play, the developer has printed the identical set of apps to the Apple App Retailer as nicely. It is not clear if the iOS counterparts embody the Keenadu performance. The Hacker Information has reached out to Kaspersky for remark, and we are going to replace the story if we hear again. That mentioned, it is believed that Keenadu is principally designed to focus on Android tablets.
With BADBOX performing as a distribution vector for Keenadu in some circumstances, additional evaluation has additionally uncovered infrastructure connections between Triada and BADBOX, indicating that these botnets are interacting with each other. In March 2025, HUMAN mentioned it recognized overlaps between BADBOX and Vo1d, an Android malware concentrating on off-brand Android-based TV containers.
The invention of Keenadu is troubling for 2 principal causes –
- Provided that the malware is embedded in libandroid_runtime.so, it operates inside the context of each app on the system. This permits it to achieve covert entry to all information and render Android’s app sandboxing ineffective.
- The malware’s capability to bypass permissions used to manage app privileges inside the working system turns it right into a backdoor that grants attackers unfettered entry and management over the compromised system.
“Developers of pre-installed backdoors in Android device firmware have always stood out for their high level of expertise,” Kaspersky concluded. “This is still true for Keenadu: the creators of the malware have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”
“Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim’s device. Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future, the malware may follow in Triada’s footsteps and begin stealing credentials.”
