LONDON — A sophisticated new strain of Android malware, dubbed Keenadu, has been discovered lurking deep within the firmware of thousands of devices, marking a significant escalation in mobile supply chain attacks. According to a new deep-dive analysis by Kaspersky, the backdoor has already compromised over 13,000 devices worldwide, with the highest concentration of infections found in Russia, Japan, Germany, Brazil, and the Netherlands.
What makes Keenadu particularly dangerous is its delivery method: it is often pre-installed at the factory level or delivered via signed, “legitimate” Over-the-Air (OTA) firmware updates.
A Root-Level Threat
Unlike traditional malware that requires a user to download a suspicious file, Keenadu is integrated into the libandroid_runtime.so, a critical system library. By attaching itself to the “Zygote” process—the parent process for every Android application—the malware effectively injects itself into every app a user launches.
“Keenadu is a full-fledged backdoor,” Kaspersky researchers noted. “It grants attackers virtually unrestricted control, bypassing standard Android sandboxing and permission protocols.”
Distribution: Beyond the Factory Floor
While the primary threat stems from compromised manufacturing pipelines—specifically affecting low-cost Android tablets like the Alldocube iPlay 50 mini Pro—the operators have diversified their attack vectors:
- Official App Stores: Trojanized “Smart Camera” apps containing the Keenadu loader were discovered on Google Play and Xiaomi GetApps. Before being purged, the Google Play versions alone amassed more than 300,000 downloads.
- System Integration: In some variants, the malware was found embedded in essential system utilities, including facial recognition services and the device’s home screen launcher.
- Targeted Dormancy: Intriguingly, the malware is programmed to self-destruct or remain dormant if it detects a Chinese language setting or time zone, suggesting a deliberate attempt to avoid infecting users within China.
The Rationale: Ad Fraud and Beyond
Currently, the Keenadu operators appear focused on financial gain through high-volume ad fraud. Payloads identified by researchers show the malware:
- Hijacking Search Engines: Redirecting Chrome queries to monetize traffic.
- Ghost Installs: Stealthily installing new apps to collect “pay-per-install” bounties.
- Cart Manipulation: Adding items to shopping carts on platforms like Amazon, Shein, and Temu without user consent.
However, the technical depth of the backdoor suggests a more ominous potential. Because the malware operates with system-level privileges, it could easily be pivoted to steal banking credentials, intercept private messages, or harvest biometric data.
The Botnet Connection
The discovery has also unmasked a sprawling web of collaboration among cybercriminals. Kaspersky confirmed infrastructure links between Keenadu and other notorious Android botnets, including Triada, Vo1d, and BadBox. This “interconnected ecosystem” suggests that the largest mobile botnets in the world are sharing resources and compromised supply chains to maintain their global footprint.
How to Protect Yourself
Because Keenadu often resides in a read-only system partition, a standard “Factory Reset” is frequently ineffective. Experts recommend:
- Firmware Verification: Ensure your device is running the latest official security patch. For Alldocube users, specific clean firmware versions have been released following the breach.
- App Scrutiny: Avoid utility or camera apps from unknown developers, even on official stores.
- Professional Scanning: Use a robust mobile security suite capable of detecting library-level injections.
