A newly identified Android malware, dubbed Keenadu, has emerged as a significant threat by embedding itself into device firmware and propagating through Google Play applications. This malware, reminiscent of the Triada Trojan, allows attackers to gain remote control over affected devices.
Malware Analysis and Comparison with Triada
Keenadu was first highlighted on February 16, 2026, when experts drew parallels to the Triada Trojan due to its method of integrating with the Zygote process. This integration compromises every application launched on the infected device. Kaspersky’s earlier report in April 2025 had detailed how Triada infiltrated counterfeit Android devices, leading to the discovery of Keenadu in devices from brands such as Alldocube.
The malware incorporates a harmful static library, libVndxUtils.a, into libandroid_runtime.so during the firmware’s build process. This backdoor is often deployed through over-the-air (OTA) updates, decrypting payloads using RC4 encryption and loading them into the device’s system, establishing a client-server mechanism.
Infection Mechanics and Implications
The infection process begins with Keenadu’s dropper in libandroid_runtime.so, which modifies the println_native method to execute malicious code. It cleverly avoids detection by popular applications and uses inter-process communication for control. The AKServer component broadcasts interfaces to manage permissions, track location, and exfiltrate data, while the MainWorker component communicates with command and control servers.
Payloads intercepted by Kaspersky target various applications, including web browsers, launchers, and shopping apps. These payloads are designed to hijack searches, track sessions, and load malicious APKs, posing a severe risk to user privacy and security.
Supply Chain Compromise and Global Impact
The threat is further compounded by the Keenadu backdoor being embedded in signed firmwares from brands such as Alldocube. Developer artifacts reveal its presence in supply chains, affecting devices globally, with significant infection rates in countries like Russia, Japan, and Germany.
Standalone apps on platforms such as Google Play and Xiaomi GetApps have also been found to contain modules related to Keenadu. Google has since removed these apps following notifications of their malicious content.
Mitigation and Future Outlook
Indicators show Keenadu’s connection to other malware like Triada and BADBOX, sharing code and command overlaps. To protect against this threat, users are advised to update to clean firmware versions, disable infected system applications, and avoid using compromised devices until patches are deployed.
This situation highlights the critical need for stringent supply chain audits and enhanced security measures to safeguard against firmware-level compromises. Continuous vigilance and timely updates remain essential in mitigating such cybersecurity threats.
Stay updated on the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Reach out if you have a story to share.
