Cyber: Keenadu Firmware Backdoor Infects Android Tablets Via Signed Ota...
A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky.
The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu, in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. In all cases, the backdoor is embedded within tablet firmware, and the firmware files carry valid digital signatures. The names of the other vendors were not disclosed.
"In several instances, the compromised firmware was delivered with an OTA update," security researcher Dmitry Kalinin said in an exhaustive analysis published today. "A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim's device remotely."
Some of the payloads retrieved by Keenadu allow it to hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements. One of the payloads has been found embedded in several standalone apps distributed via third-party repositories, as well as official app marketplaces like Google Play and Xiaomi GetApps.
Telemetry data suggests that 13,715 users worldwide have encountered Keenadu or its modules, with the majority of the users attacked by the malware located in Russia, Japan, Germany, Brazil, and the Netherlands.
Keenadu was first disclosed by Kaspersky in late December 2025, describing it as a backdoor in libandroid_runtime.so, a critical shared library in the Android operating system that's loaded during boot. Once it's active on an infected device, it's injected into the Zygote process, a behavior also observed in another Android malware called Triada.
The malware is invoked by means of a function call added to the libandroid_runtime.so, following which it checks if it's running within system apps belonging either to Google services or to cellular carriers like Sprint or T-Mobile. If so, the execution is aborted. It also has a kill switch to terminate itself if it finds files with certain names in system directories.
"Next, the Trojan checks if it is running within the system_server process," Kalinin said. "This process controls the entire system and possesses maximum privileges; it i
Source: The Hacker News
