A sophisticated Android malware, identified as Keenadu, has recently come to light, embedded in the firmware of various device brands. This malware poses a significant threat by compromising all installed applications and granting unrestricted control over infected devices.
Distribution Mechanisms and Variants
According to a report from cybersecurity firm Kaspersky, Keenadu employs multiple distribution methods. These include:
- Compromised firmware images delivered over-the-air (OTA)
- Access via other backdoors
- Embedding in system applications
- Modified applications sourced from unofficial channels
- Infiltration through apps available on Google Play
There are several variants of Keenadu, each with distinct capabilities, with the firmware-based version being the most formidable.
As of February 2026, Kaspersky has confirmed the presence of Keenadu on approximately 13,000 devices, predominantly located in Russia, Japan, Germany, Brazil, and the Netherlands. The researchers have drawn comparisons between Keenadu and Triada, another Android malware family that was detected in counterfeit Android devices last year, primarily in low-cost phones acquired through dubious supply chains.
Operational Characteristics and Origin Clues
The firmware-integrated variant of Keenadu exhibits a unique behavior: it remains dormant if the device’s language or timezone is associated with China, hinting at a possible origin. Furthermore, the malware ceases to function if it detects the absence of the Google Play Store and Play Services.
While its operators currently focus on ad fraud, Kaspersky emphasizes that Keenadu’s capabilities extend far beyond this, enabling extensive data theft and risky actions on compromised devices. “Keenadu is a fully functional backdoor that provides attackers with unlimited control over the victim’s device,” Kaspersky stated in a communication with BleepingComputer.
“It can infect every app installed on the device, install any apps from APK files, and grant them any available permissions.” The implications are severe, as all information on the device—including media, messages, banking credentials, and location—can be compromised. Notably, the malware can even monitor search queries entered in the Chrome browser’s incognito mode.
Embedded Variants and Discovery
The variant of Keenadu found embedded in system applications has more limited functionality. However, its elevated privileges allow it to install any app without notifying the user. Kaspersky researchers discovered the malware within a system app designed for facial recognition, typically used for device unlocking and various authorization processes.
Additionally, the malware was identified in smart home camera applications on Google Play, which had amassed 300,000 downloads before being removed from the official Android store. When these apps were launched, they initiated invisible web browser tabs that navigated to websites in the background, a behavior reminiscent of APKs previously uncovered by Dr.Web.
Firmware Compromise and Recommendations
Keenadu has been detected in the firmware of Android tablets from numerous manufacturers. For instance, the Alldocube iPlay 50 mini Pro (T811M) tablet was found to contain malicious firmware dated August 18, 2023. Following a customer report in March 2024 regarding a compromise of Alldocube’s OTA server, the company acknowledged a “virus attack through OTA software” but did not specify the nature of the threat.
Kaspersky has published a comprehensive technical analysis detailing how the Keenadu backdoor compromises the libandroid_runtime.so component, a core library in the Android system, allowing the malware to operate within the context of every app on the device. The researchers caution that due to the malware’s deep integration into the firmware, standard Android OS tools cannot remove it. They recommend users seek out clean firmware versions for their devices.
Alternatively, users may consider installing firmware from reputable third parties, although this carries the risk of bricking the device if compatibility issues arise. Ultimately, one of the safest options may be to cease using the compromised device and replace it with products from trusted vendors and authorized distributors.
