‘Keenadu’ Firmware Backdoor Hijacks Android from the Inside Out

Security analysts have uncovered a sophisticated firmware-level infection targeting the heart of the Android operating system. A recent report from the Sophos Counter Threat Unit Research Team details the inner workings of Keenadu, a persistent backdoor that effectively turns an infected device into a puppet for remote attackers.

Unlike traditional malicious apps that users might accidentally install, Keenadu operates from within the system’s core libraries, making it nearly impossible to detect or remove through conventional means.

The true power of Keenadu lies in its placement. It is embedded within libandroid_runtime.so, a critical shared object library used by every application on the device. By injecting itself into the Zygote process—the parent process from which all Android apps are forked—the malware ensures its presence in the address space of every single application.

“As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device,” researchers warned. This level of access allows the malware to act as a silent gateway, downloading additional modules to target specific data within popular apps.

Perhaps most alarming is how the malware reaches the device. SophosLabs analysts, echoing findings from Kaspersky, concluded that Keenadu was likely “integrated into the firmware during the build phase” rather than being delivered via a compromised over-the-air (OTA) update.

This indicates a deep compromise of the manufacturing or software assembly line. The malware even attempts to hide its tracks by relying on a dependency that “masquerades as legitimate MediaTek code,” further complicating forensic efforts.

Once active, Keenadu acts as a versatile “downloader” for specialized second-stage modules. The specific damage depends on which modules the attackers choose to deploy:

• Shopping and Social Media: Analysts have observed detections associated with modules targeting storefronts like Shein, Temu, and Amazon.
• Invisible Interaction: “YouTube, Facebook, and the Digital Wellbeing app are all targeted with ‘clicker’ modules,” according to the report. These modules perform sophisticated ad fraud by silently connecting to websites in the background to generate fraudulent revenue.
• Total Data Exposure: Because the malware lives in the shared library used by all apps, any data entered into or stored by an application is potentially at risk of being harvested.

Keenadu maintains a robust connection to a wide array of command-and-control (C2) servers to receive its instructions and upload stolen data. Sophos identified numerous domains used in this campaign, including proczone[.]com, goaimb[.]com, and aifacecloud[.]com.