Infected Out of the Box: “Keenadu” Backdoor Hijacks Android at the Firmware Level
Do Son 
Keenadu backdoor execution flow | Image: Kaspersky Labs
Researchers at Kaspersky Labs have uncovered a massive, firmware-level compromise affecting Android devices globally. Dubbed Keenadu, this sophisticated backdoor isn’t just an app you accidentally download; in many cases, it arrives pre-installed on the device or is delivered via legitimate-looking Over-The-Air (OTA) system updates.
Keenadu operates by hooking into the very heart of the Android OS: the Zygote process. Zygote is the parent process for all Android applications, meaning that once it is compromised, every single app launched on the device is effectively tainted.
“Our investigation uncovered a new backdoor, dubbed Keenadu, which mirrored Triada’s behavior by embedding itself into the firmware to compromise every app launched on the device,” the report states.
This technique mirrors the infamous Triada malware but executes it with renewed precision. The infection occurs during the firmware build phase, where a malicious static library is linked with a core system library (libandroid_runtime.so). This grants the attackers deep, persistent access that survives factory resets.
While currently used primarily for ad fraud, the capabilities of Keenadu are vast. By controlling the system at such a low level, the attackers have “unrestricted control” over the victim’s device. They can inject modules into system apps and even applications downloaded from the Google Play Store.
“Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim’s device,” the report warns.
The scale of the campaign is significant, with modules found across various brands and device models. The researchers note that this level of sophistication suggests a maturing underground economy for firmware-level exploits.
“The emergence of a new pre-installed backdoor of this magnitude indicates that this category of malware is a distinct market with significant competition,” the report writes.
Currently, Keenadu seems focused on monetization through fraudulent advertising. However, the architecture allows for much more malicious activity. The report warns that the operators could easily pivot to data theft, similar to how the Triada gang evolved.
“Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future, the malware may follow in Triada’s footsteps and begin stealing credentials,” the report concludes.
Because the malware resides in the system partition, standard uninstallation methods often fail. For infected apps found on the user partition, standard removal works. However, for the core firmware backdoor, the only true remediation may be flashing a clean, stock firmware image—a technical hurdle too high for most consumers—or replacing the device entirely.
Related Posts:
- Triada Trojan Evolves: Pre-Installed Android Malware Now Embedded in Device Firmware
- Dr.Web researchers found Triada banking Trojan in over 40 models of cheap Android
- Russia to Mandate State-Backed Messaging App on All New Smartphones
- Microsoft’s “Edit” Text Editor Coming to Windows 11 Command Line
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
