A new Android backdoor that’s embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky.
The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu, in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. In all cases, the backdoor is embedded within tablet firmware, and the firmware files carry valid digital signatures. The names of the other vendors were not disclosed.
“In several instances, the compromised firmware was delivered with an OTA update,” security researcher Dmitry Kalinin said in an exhaustive analysis published today. “A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim’s device remotely.”
Some of the payloads retrieved by Keenadu allow it to hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements. One of the payloads has been found embedded in several standalone apps distributed via third-party repositories, as well as official app marketplaces like Google Play and Xiaomi GetApps.
Telemetry data suggests that 13,715 users worldwide have encountered Keenadu or its modules, with the majority of the users attacked by the malware located in Russia, Japan, Germany, Brazil, and the Netherlands.
Keenadu was first disclosed by Kaspersky in late December 2025, describing it as a backdoor in libandroid_runtime.so, a critical shared library in the Android operating system that’s loaded during boot. Once it’s active on an infected device, it’s injected into the Zygote process, a behavior also observed in another Android malware called Triada.
The malware is invoked by means of a function call added to the libandroid_runtime.so, following which it checks if it’s running within system apps belonging either to Google services or to cellular carriers like Sprint or T-Mobile. If so, the execution is aborted. It also has a kill switch to terminate itself if it finds files with certain names in system directories.
“Next, the Trojan checks if it is running within the system_server process,” Kalinin said. “This process controls the entire system and possesses maximum privileges; it is launched by the Zygote process when it starts.”
If this check is true, the malware proceeds to create an instance of the AKServer class. Otherwise, it creates an instance of the AKClient class. The AKServer component contains the core logic and command-and-control (C2) mechanism, while AKClient is injected into every app launched on the device and serves as the bridge for interacting with AKServer.
This client-server architecture enables AKServer to execute custom malicious payloads tailored to the specific app it has targeted. AKServer also exposed another interface that malicious modules downloaded within the contexts of other apps can use to grant or revoke permissions to/from an arbitrary app on the device, get the current location, and exfiltrate device information.
The AKServer component is also designed to run a series of checks that cause the malware to terminate if the interface language is Chinese and the device is located within a Chinese time zone, or if Google Play Store or Google Play Services are absent from the device. Once the necessary criteria are satisfied, the Trojan decrypts the C2 address and sends device metadata in encrypted format to the server.
In response, the server returns an encrypted JSON object containing details about the payloads. However, in what appears to be an attempt to complicate analysis and evade detection, an added check built into the backdoor prevents the C2 server from serving any payloads until 2.5 months have elapsed since the initial check-in.
“The attacker’s server delivers information about the payloads as an object array,” Kaspersky explained. “Each object contains a download link for the payload, its MD5 hash, target app package names, target process names, and other metadata. Notably, the attackers chose Amazon AWS as their CDN provider.”
Some of the identified malicious modules are listed below –
- Keenadu loader, which targets popular online storefronts like Amazon, Shein, and Temu to deliver unspecified payloads. However, it’s suspected that they make it possible to add items to the apps’ shopping carts without the victim’s knowledge.
- Clicker loader, which is injected into YouTube, Facebook, Google Digital Wellbeing, and Android System launcher to deliver payloads that can interact with advertising elements on gaming, recipes, and news websites.
- Google Chrome module, which targets the Chrome browser to hijack search requests and redirect them to a different search engine. However, it’s worth noting that the hijacking attempt may fail if the victim selects an option from the autocomplete suggestions based on keywords entered in the address bar.
- Nova clicker, which is embedded within the system wallpaper picker and uses machine learning and WebRTC to interact with advertising elements. The same component was codenamed Phantom by Doctor Web in an analysis published last month.
- Install monetization, which is embedded into the system launcher and monetizes app installations by deceiving advertising platforms into believing that an app was installed from a legitimate ad tap.
- Google Play module, which retrieves the Google Ads advertising ID and stores it under the key “S_GA_ID3” for likely use by other modules for uniquely identifying a victim.
Kaspersky said it also identified other Keenadu distribution vectors, including by embedding the Keenadu loader within various system apps, such as the facial recognition service and system launcher, in the firmware of several devices. This tactic has been observed in another Android malware known as Dwphon, which was integrated into system apps responsible for OTA updates.
A second method concerns a Keenadu loader artifact that’s designed to operate within a system where the system_server process had already been compromised by a different pre-installed backdoor that shares similarities with BADBOX. That’s not all. Keenadu has also been discovered being propagated via trojanized apps for smart cameras on Google Play.
The names of the apps, which were published by a developer named Hangzhou Denghong Technology Co., Ltd., are as follows –
- Eoolii (com.taismart.global) – 100,000+ downloads
- Ziicam (com.ziicam.aws) – 100,00+ downloads
- Eyeplus-Your home in your eyes (com.closeli.eyeplus) – 100,000+ downloads
While these apps are no longer available for download from Google Play, the developer has published the same set of apps to the Apple App Store as well. It’s not clear if the iOS counterparts include the Keenadu functionality. The Hacker News has reached out to Kaspersky for comment, and we will update the story if we hear back. That said, it’s believed that Keenadu is mainly designed to target Android tablets.
With BADBOX acting as a distribution vector for Keenadu in some cases, further analysis has also uncovered infrastructure connections between Triada and BADBOX, indicating that these botnets are interacting with one another. In March 2025, HUMAN said it identified overlaps between BADBOX and Vo1d, an Android malware targeting off-brand Android-based TV boxes.
The discovery of Keenadu is troubling for two main reasons –
- Given that the malware is embedded in libandroid_runtime.so, it operates within the context of every app on the device. This allows it to gain covert access to all data and render Android’s app sandboxing ineffective.
- The malware’s ability to bypass permissions used to control app privileges within the operating system turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
“Developers of pre-installed backdoors in Android device firmware have always stood out for their high level of expertise,” Kaspersky concluded. “This is still true for Keenadu: the creators of the malware have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”
“Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim’s device. Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future, the malware may follow in Triada’s footsteps and begin stealing credentials.”
