Ethical Hacking News
A new Android backdoor has been discovered that silently harvests data and remotely controls devices via signed OTA updates. This sophisticated malware, known as Keenadu, poses a significant threat to mobile security. With its ability to operate within the context of every app on the device, Keenadu grants attackers unfettered access and control over the compromised device. Developers must take immediate action to protect their users and ensure that their devices are Play Protect certified.
The Keenadu backdoor is a sophisticated Android malware embedded deep within the device firmware, allowing it to silently harvest data and remotely control behavior. The malware was first discovered in August 2023 in the firmware of devices associated with various brands, including Alldocube, and has since been found on over 13,715 users worldwide. Keenadu operates within every app on the device, allowing it to gain covert access to all data and render Android's app sandboxing ineffective. The malware bypasses permissions used to control app privileges, granting attackers unfettered access and control over the compromised device. Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim's device, and its creators have a deep understanding of the Android architecture.
Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates - A Growing Concern for Mobile Security
In a recent discovery that has sent shockwaves through the cybersecurity community, Kaspersky, a renowned Russian cybersecurity vendor, has identified a new Android backdoor dubbed Keenadu. This sophisticated malware is embedded deep within the device firmware and has been found to silently harvest data and remotely control its behavior. The implications of this threat are far-reaching, and mobile security experts warn that users must take immediate action to protect themselves.
According to Kaspersky, the Keenadu backdoor was first discovered in August 2023 in the firmware of devices associated with various brands, including Alldocube. The compromise occurred during the firmware build phase, and in all cases, the backdoor is embedded within tablet firmware, carrying valid digital signatures. This tactic allows the malware to blend in seamlessly with legitimate updates, making it difficult for users to detect.
The Keenadu backdoor has been found to be a multi-stage loader, granting its operators unparalleled control over the compromised device remotely. This means that attackers can hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements. In some cases, the malware has also been embedded within standalone apps distributed via third-party repositories, as well as official app marketplaces like Google Play and Xiaomi GetApps.
Telemetry data suggests that 13,715 users worldwide have encountered Keenadu or its modules, with the majority of users attacked in Russia, Japan, Germany, Brazil, and the Netherlands. This widespread reach is a testament to the sophistication and stealth of the malware.
The Keenadu backdoor operates within the context of every app on the device, allowing it to gain covert access to all data and render Android's app sandboxing ineffective. The malware's ability to bypass permissions used to control app privileges within the operating system turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
In an exhaustive analysis published today, security researcher Dmitry Kalinin revealed that Keenadu was first discovered in late December 2025, describing it as a backdoor in libandroid_runtime.so, a critical shared library in the Android operating system. Once active on an infected device, it's injected into the Zygote process, a behavior also observed in another Android malware called Triada.
The Keenadu loader is invoked by means of a function call added to libandroid_runtime.so, following which it checks if it's running within system apps belonging either to Google services or to cellular carriers like Sprint or T-Mobile. If so, the execution is aborted. It also has a kill switch to terminate itself if it finds files with certain names in system directories.
Kaspersky identified other Keenadu distribution vectors, including embedding the Keenadu loader within various system apps, such as the facial recognition service and system launcher, in the firmware of several devices. This tactic has been observed in another Android malware known as Dwphon, which was integrated into system apps responsible for OTA updates.
A second method concerns a Keenadu loader artifact that's designed to operate within a system where the system_server process had already been compromised by a different pre-installed backdoor that shares similarities with BADBOX. The Keenadu distribution vectors also include trojanized apps for smart cameras on Google Play, which have been found to contain malicious functionality.
The names of the apps, which were published by a developer named Hangzhou Denghong Technology Co., Ltd., are as follows - Eoolii (com.taismart.global) - 100,000+ downloads, Ziicam (com.ziicam.aws) - 100,00+ downloads, Eyeplus-Your home in your eyes (com.closeli.eyeplus) - 100,000+ downloads. While these apps are no longer available for download from Google Play, the developer has published the same set of apps to the Apple App Store as well. When reached for comment, Kaspersky told The Hacker News that the iOS versions of the apps do not include the malicious functionality.
Further analysis has uncovered infrastructure connections between Triada and BADBOX, indicating that these botnets are interacting with one another. In March 2025, HUMAN identified overlaps between BADBOX and Vo1d, an Android malware targeting off-brand Android-based TV boxes.
The discovery of Keenadu is troubling for two main reasons - Firstly, the malware's ability to operate within the context of every app on the device makes it a powerful tool for attackers. Secondly, the malware's ability to bypass permissions used to control app privileges within the operating system turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
Developers of pre-installed backdoors in Android device firmware have always stood out for their high level of expertise. This is still true for Keenadu: the creators of the malware have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.
"Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim's device," Kaspersky concluded. "Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future, the malware may follow in Triada's footsteps and begin stealing credentials."
Update
Following the publication of the story, Google confirmed to The Hacker News that the three identified malicious apps have been removed from Google Play, urging users to ensure that their devices are Play Protect certified. The entire statement from the Google spokesperson has been reproduced verbatim below -
Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu-associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Android-Backdoor-Uncovered-The-Keenadu-Threat-ehn.shtml
Published: Wed Feb 18 11:01:46 2026 by llama3.2 3B Q4_K_M
