Sophisticated Keenadu Backdoor Found Embedded in Android Firmware and Google Play Apps

Security researchers at Kaspersky have uncovered a sophisticated Android backdoor named Keenadu that's compromising devices through multiple attack vectors, including pre-infected firmware, modified system apps, and even apps distributed through Google Play. With over 13,000 confirmed infections across Russia, Japan, Germany, Brazil, and the Netherlands, this malware family exhibits advanced stealth capabilities and concerning data collection functionality.

Firmware-Level Compromise

The most potent variant of Keenadu resides deep within device firmware, typically delivered through compromised over-the-air (OTA) updates or supply chain compromises. According to Kaspersky's technical analysis, the malware modifies the core libandroid_runtime.so Android library, enabling it to operate within the context of every application on the device. This firmware-level persistence makes detection and removal exceptionally difficult, as standard security tools can't access this privileged layer.

Kaspersky researchers explained the severity: "Keenadu is a fully functional backdoor that provides attackers with unlimited control over the victim's device. It can infect every app installed on the device, install any apps from APK files, and grant them any available permissions. All information on the device—including media, messages, banking credentials, and location—can be compromised."

Notably, the malware includes geofencing capabilities, disabling itself if device language or timezone settings indicate Chinese usage. It also checks for the presence of Google Play Services before activating.

Multiple Distribution Methods

Beyond firmware attacks, Keenadu spreads through:

1. Compromised system apps: Found embedded in facial recognition system apps, leveraging elevated privileges to silently install payloads
2. Third-party app stores: Distributed through modified APKs from unofficial sources
3. Google Play: Smart home camera apps containing Keenadu loaders were downloaded over 300,000 times before removal

These apps initiated invisible browser sessions in the background, resembling malicious activity patterns recently documented by Dr.Web researchers.

Practical Protection Measures

Given the firmware-level persistence, standard antivirus solutions are ineffective against the most advanced Keenadu variants. Kaspersky recommends:

1. Firmware verification: Check device firmware integrity and install clean versions from manufacturer portals like Alldocube's support page. Note that Alldocube tablets were specifically compromised via OTA attacks in 2023
2. Avoid unofficial firmware: Third-party ROMs risk bricking devices due to compatibility issues
3. Device replacement consideration: For confirmed infections, replacing devices through authorized distributors may be safest
4. App source verification: Only install apps from trusted developers on Google Play and avoid sideloaded APKs
5. Monitor permissions: Regularly review app permissions in Settings > Apps

Kaspersky's full technical analysis details how Keenadu's modular design enables various malicious activities beyond current ad fraud operations, including monitoring Chrome incognito searches. Users of affected devices like the Alldocube iPlay 50 mini Pro should prioritize firmware checks, as OTA compromises remain an ongoing threat vector in the Android ecosystem.