Keenadu Backdoor: A Deep Dive into the Android Firmware Threat
A newly identified Android backdoor, named Keenadu, has been discovered embedded within device firmware, enabling covert data collection and remote manipulation of affected devices. This revelation comes from cybersecurity firm Kaspersky, which found the backdoor in firmware associated with various brands, notably Alldocube. The compromise occurs during the firmware build phase, with instances dating back to August 18, 2023. Alarmingly, these firmware files carry valid digital signatures, indicating a sophisticated infiltration.
In several cases, the compromised firmware was distributed via over-the-air (OTA) updates. Upon device startup, the backdoor integrates itself into the memory space of every application, functioning as a multi-stage loader that grants attackers unrestricted remote control over the device.
Functionality and Payloads
Keenadu’s capabilities are extensive. It can hijack browser search engines, monetize new app installations, and interact stealthily with advertising elements. Some payloads have been identified within standalone apps available on third-party platforms, as well as official marketplaces like Google Play and Xiaomi GetApps.
Telemetry data indicates that 13,715 users worldwide have encountered Keenadu or its modules, with the highest concentrations in Russia, Japan, Germany, Brazil, and the Netherlands.
Technical Analysis
First disclosed by Kaspersky in December 2025, Keenadu resides in ‘libandroid_runtime.so,’ a critical shared library in the Android operating system loaded during boot. Once active, it injects itself into the Zygote process, a behavior reminiscent of the Triada malware.
The malware initiates through a function call added to ‘libandroid_runtime.so.’ It checks if it’s operating within system apps associated with Google services or cellular carriers like Sprint or T-Mobile; if so, it aborts execution. Additionally, it possesses a kill switch that terminates itself upon detecting specific files in system directories.
If running within the ‘system_server’ process—a process that controls the entire system with maximum privileges—the malware creates an instance of the ‘AKServer’ class. Otherwise, it creates an ‘AKClient’ instance. ‘AKServer’ contains the core logic and command-and-control (C2) mechanism, while ‘AKClient’ is injected into every app launched on the device, serving as a bridge for interacting with ‘AKServer.’
This client-server architecture allows ‘AKServer’ to execute custom malicious payloads tailored to specific targeted apps. It also exposes an interface that malicious modules can use to grant or revoke permissions for any app on the device, retrieve the current location, and exfiltrate device information.
‘AKServer’ performs checks to terminate the malware if the device’s interface language is Chinese and it’s located within a Chinese time zone, or if Google Play Store or Google Play Services are absent. Once these criteria are met, the Trojan decrypts the C2 address and sends encrypted device metadata to the server.
In response, the server returns an encrypted JSON object detailing the payloads. To complicate analysis and evade detection, the backdoor includes a delay mechanism that prevents the C2 server from serving any payloads until 2.5 months have passed since the initial check-in.
Identified Malicious Modules
Several malicious modules associated with Keenadu have been identified:
– Keenadu Loader: Targets popular online storefronts like Amazon, Shein, and Temu to deliver unspecified payloads, potentially adding items to shopping carts without the user’s knowledge.
– Clicker Loader: Injected into apps like YouTube, Facebook, Google Digital Wellbeing, and the Android System launcher to deliver payloads that interact with advertising elements on various websites.
– Google Chrome Module: Targets the Chrome browser to hijack search requests and redirect them to different search engines.
– Nova Clicker: Embedded within the system wallpaper picker, using machine learning and WebRTC to interact with advertising elements.
– Install Monetization: Embedded into the system launcher to monetize app installations by deceiving advertising platforms into believing that an app was installed from a legitimate ad tap.
– Google Play Module: Retrieves the Google Ads advertising ID and stores it under the key S_GA_ID3 for likely use by other modules to uniquely identify a victim.
Distribution Vectors
Kaspersky identified multiple distribution vectors for Keenadu:
1. Firmware Integration: Embedding the Keenadu loader within various system apps, such as the facial recognition service and system launcher, in the firmware of several devices.
2. Pre-Installed Backdoors: A Keenadu loader designed to operate within a system where the ‘system_server’ process had already been compromised by a different pre-installed backdoor sharing similarities with BADBOX.
3. Trojanized Apps: Propagation via trojanized apps for smart cameras on Google Play, including:
– Eoolii (com.taismart.global): Over 100,000 downloads.
– Ziicam (com.ziicam.aws): Over 100,000 downloads.
– Eyeplus-Your home in your eyes (com.closeli.eyeplus): Over 100,000 downloads.
While these apps are no longer available on Google Play, their counterparts remain on the Apple App Store. It’s unclear if the iOS versions include Keenadu functionality.
Connections to Other Malware
Keenadu’s distribution is sometimes facilitated by BADBOX, another Android malware. Further analysis has uncovered infrastructure connections between Triada and BADBOX, indicating interactions between these botnets. In March 2025, overlaps between BADBOX and Vo1d, an Android malware targeting off-brand Android-based TV boxes, were identified.
Implications and Concerns
The discovery of Keenadu is alarming for several reasons:
1. Deep Integration: Embedded in ‘libandroid_runtime.so,’ Keenadu operates within the context of every app on the device, rendering Android’s app sandboxing ineffective.
2. Unrestricted Access: Its ability to bypass permissions controlling app privileges turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
Kaspersky concludes that developers of pre-installed backdoors in Android device firmware exhibit a high level of expertise. The creators of Keenadu have a deep understanding of Android architecture, the app startup process, and core security principles. Although currently used primarily for various types of ad fraud, there’s concern that Keenadu may evolve to steal credentials, following in the footsteps of Triada.
