A newly identified backdoor known as Keenadu has been found embedded in the firmware of Android devices, enabling it to discreetly harvest data and remotely control affected devices. This discovery was made by Kaspersky, a prominent cybersecurity firm. The malware was detected in devices from brands such as Alldocube, with the breach occurring during the firmware’s development phase. Notably, the backdoor is present in Alldocube iPlay 50 mini Pro firmware since August 18, 2023, and it has been distributed through over-the-air (OTA) updates with legitimate digital signatures.
Malware Deployment and Capabilities
Security researcher Dmitry Kalinin detailed that the Keenadu backdoor is integrated into the address space of every application upon launch, functioning as a multi-stage loader. This setup gives the malware operators full control over the compromised device. Some of its capabilities include hijacking search engines in browsers, monetizing app installations, and interacting with ad elements without user consent. The malware has also been found in standalone apps available on both third-party platforms and official marketplaces like Google Play and Xiaomi GetApps.
Telemetry data reveals that approximately 13,715 users across the globe have encountered Keenadu or its components, with the highest concentration of affected users residing in Russia, Japan, Germany, Brazil, and the Netherlands. Initial disclosure of this malware by Kaspersky occurred in late December 2025, identifying it as a backdoor situated in libandroid_runtime.so, a crucial shared library within the Android operating system.
Technical Analysis and Functionality
Once active, Keenadu injects itself into the Zygote process, a technique previously observed in the Triada malware. The malware avoids execution in system apps related to Google services or certain cellular carriers by terminating its process if such conditions are detected. It also has a self-termination mechanism triggered by specific file names in system directories, execution within the system_server process, or the absence of Google Play services.
If the backdoor confirms it is running in the appropriate environment, it initializes the AKServer class to manage command-and-control (C2) operations, while the AKClient class is embedded in every app on the device to facilitate interaction with AKServer. This architecture allows for the execution of custom malicious payloads tailored to specific applications, as well as unauthorized access to device information and control over app permissions.
Global Impact and Security Implications
Keenadu’s design includes checks to terminate its operation if the device’s language is set to Chinese and it is within a Chinese time zone, or if Google Play services are missing. Once these checks are passed, it communicates encrypted device metadata to a remote server, which responds with payload details. A delay of 2.5 months before payload delivery is implemented to hinder analysis and detection.
The malware has targeted popular applications and platforms, including online storefronts and social media apps, using modules like the Keenadu loader and clicker loaders. These modules enable unauthorized app interactions and ad fraud activities. Additionally, the malware’s distribution has been linked to trojanized apps on Google Play, and its infrastructure shows connections to other malware families such as Triada and BADBOX.
The discovery of Keenadu underscores significant security concerns. Its integration within the Android operating system allows it to bypass app sandboxing and gain extensive access to user data. This capability poses a threat not only for ad fraud but potentially for credential theft, echoing patterns seen in other malware like Triada.
Kaspersky warns that the expertise of those developing pre-installed backdoors in Android firmware remains high, with Keenadu developers demonstrating a deep understanding of Android’s architecture and security mechanisms. The complexity and potential reach of Keenadu make it a formidable threat to Android users worldwide.
