Kaspersky researchers have uncovered a sophisticated Android firmware backdoor, dubbed Keenadu, which silently harvests data and enables remote control of infected devices. The malware is embedded in device firmware, affecting brands including Alldocube, and is delivered through signed OTA updates dating back to August 2023.
Unlike conventional malware, Keenadu operates at the firmware level, loading into the address space of every app at launch. Its multi-stage loader structure allows operators unrestricted access, giving them full control over system behavior.
Infection and Architecture
Keenadu resides in libandroid_runtime.so, a critical shared library loaded at boot. The malware is injected into the Zygote process, and from there, it evaluates whether it is running within system apps belonging to Google or specific carriers. If conditions are not met, it self-terminates.
Keenadu uses a client-server design:
- AKServer: Handles command-and-control (C2), executes malicious payloads, and manages device-wide operations.
- AKClient: Injected into every launched app, bridging communication with AKServer and enabling payload execution in targeted apps.
This architecture allows granular control over app-specific operations, including permission manipulation, location access, and data exfiltration.
Payloads and Malicious Modules
Several Keenadu modules have been identified:
- Keenadu loader: Targets online stores like Amazon, Shein, and Temu to deliver hidden payloads.
- Clicker loader: Injected into YouTube, Facebook, and system launchers, interacting with advertising elements.
- Chrome module: Hijacks search engine requests and redirects them, with partial bypasses possible via autocomplete.
- Nova clicker / Phantom: Embedded in wallpaper picker apps, using ML and WebRTC for ad interactions.
- Install monetization: Stealthily monetizes new app installations.
- Google Play module: Collects advertising IDs for other modules to uniquely track victims.
Distribution vectors include pre-installed system apps, OTA updates, and trojanized apps in third-party and official marketplaces. Notable apps carrying Keenadu modules include Eoolii, Ziicam, and Eyeplus, each exceeding 100,000 downloads. Some apps were also published on Apple’s App Store, though iOS infection remains unverified.
Global Impact
Telemetry indicates approximately 13,715 users worldwide have encountered Keenadu, with major targets in Russia, Japan, Germany, Brazil, and the Netherlands. In some cases, Keenadu leverages pre-installed backdoors such as BADBOX, and shares infrastructure connections with Triada, highlighting sophisticated botnet collaboration.
Security Implications
The backdoor’s placement in libandroid_runtime.so allows it to bypass Android’s app sandboxing, granting attackers full control over device operations and data. Its ability to override app permission enforcement creates a persistent, high-risk threat vector.
Kaspersky concluded that Keenadu demonstrates expert-level understanding of Android firmware, app startup processes, and core OS security principles. While current payloads focus on ad fraud, the malware could evolve to target credentials and other sensitive information, mirroring the behavior of Triada.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
