Facepalm: Keenadu is a firmware-level backdoor that has infected thousands of devices worldwide. Kaspersky analysts discovered the threat while investigating Triada, a trojan pre-installed on inexpensive Android devices. Like Triada, Keenadu is designed to infiltrate the deepest parts of the mobile operating system without the user's knowledge.
The Moscow-based security company reported that Keenadu was found in Android tablets sold by several mostly unnamed brands. Similar to Triada, the threat infects the firmware during the binary build phase, when a malicious static library is secretly linked with the libandroid_runtime.so library.
Once the device boots, the malicious library injects itself into the Zygote process. According to Android's official documentation, Zygote is a critical process that serves as the "root" for all subsequent system and app processes, performing essential tasks for the operating system. From there, Keenadu can effectively become part of every app run by the user or the system itself.
The backdoor is built on a multi-stage design, giving its operators "unrestricted" control over infected devices remotely. Malicious payloads can target browser search engines, monetize new app installations, perform "stealth" interactions with advertising, and more. Kaspersky also detected traces of Keenadu in apps distributed via Google Play, Xiaomi GetApps, and even standalone apps from third-party repositories.
The analysts were unable to pinpoint the exact origin of the malware. Most likely, Keenadu entered the Android ecosystem when cybercriminals compromised a critical phase of the supply chain for multiple Android tablets. The malicious library was then embedded in the devices before they reached the market.
Kaspersky traced the malware back to Alldocube, a tablet maker that publicly shares its firmware archives for security vetting. According to Kaspersky telemetry, 13,715 users worldwide were affected by Keenadu and one of its malicious modules. The highest concentrations of infections were reported in Russia, Japan, Germany, Brazil, and the Netherlands.
Now that Kaspersky has alerted the affected vendors, users are advised to install Android security updates as soon as they become available. Complex malware like Keenadu underscores the growing sophistication of cybercriminals, who are increasingly able to exploit Android's core architecture and security mechanisms to operate against users' interests.