Researchers have unveiled a sophisticated Android backdoor, dubbed Keenadu, intricately woven into the firmware of devices, allowing it to infect tablets even before they reach consumers. This revelation comes from Kaspersky, a prominent Russian cybersecurity firm, which detailed its findings in a report released this week.
Unprecedented Access and Global Reach
Keenadu distinguishes itself from conventional malware, which typically relies on user interaction for installation. Instead, it is embedded deep within the device’s core software, enabling it to infiltrate every application launched on the tablet. According to Kaspersky, this backdoor grants attackers virtually unrestricted control over the compromised devices.
Globally, over 13,700 users have encountered Keenadu or its related modules, with the highest detection rates reported in countries such as Russia, Japan, Germany, Brazil, and the Netherlands. The primary purpose of this malware appears to be advertising fraud, with capabilities that include:
- Hijacking browser search engines
- Monitoring the installation of new applications
- Interacting with advertising components to generate fraudulent revenue
In some alarming instances, users have reported that their infected tablets were autonomously adding items to online shopping carts without their consent.
Manufacturers Affected and Supply Chain Vulnerabilities
The malware has been found integrated into the firmware of tablets from various manufacturers, notably including Alldocube, a Chinese device maker. While Alldocube had previously acknowledged malware issues in one of its models, Kaspersky noted that subsequent firmware updates for that device, even those released after public disclosure, remained compromised.
Although Kaspersky did not disclose the names of other affected manufacturers, they have informed the relevant vendors about the situation. Researchers suspect that Keenadu was inserted during the firmware build stage, likely through a compromised supply chain, indicating that devices could have been infected prior to reaching consumers.
Variants and Evasion Tactics
The report identified several variants of Keenadu, with the most potent version embedded directly into the device firmware. Other variants were cleverly hidden within applications, including a facial recognition app used for unlocking devices, and even within apps available on official platforms like Google Play and third-party repositories.
While the researchers did not attribute the campaign to a specific threat actor, they noted that the developers exhibited a profound understanding of Android architecture and core security principles. Interestingly, the malware appears to be designed with evasion tactics; it checks the device’s language settings and time zone, terminating its operations if the interface language is set to a Chinese dialect or if the device is located in a Chinese time zone. Additionally, it remains inactive on devices that do not have access to Google Play Store or Google Play Services.
Historical Context and Recommendations
The Keenadu operation bears a resemblance to a previous infection involving the Triada backdoor, which embedded itself in the firmware of counterfeit Android devices sold through major online marketplaces. This earlier malware allowed attackers to steal credentials from messaging and social media applications.
Due to its deep integration at the firmware level, Keenadu cannot be eradicated using standard Android security tools. Researchers recommend that users install a clean firmware version from a trusted source. In certain cases, they caution that replacing the device entirely may be the safest course of action.
