Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Android backdoor threat. Show all posts
malware
Android backdoor threat Android firmware attack Google Play malware removal Kaspersky security report Keenadu malware

Keenadu Android Malware Found in Device Firmware, Grants Hackers Full Control Over Infected Phones

 

A newly identified and highly advanced Android malware strain named Keenadu has been discovered embedded within firmware across multiple device brands, allowing attackers to infiltrate all installed applications and gain unrestricted access to compromised devices.

In a detailed report by Kaspersky, researchers revealed that Keenadu spreads through several channels. These include tampered over-the-air (OTA) firmware updates, existing backdoors, pre-installed system applications, altered apps from unofficial marketplaces, and even applications distributed via Google Play.

The malware exists in multiple versions, with the firmware-level variant being the most powerful. As of February 2026, Kaspersky confirmed at least 13,000 infected devices worldwide, primarily in Russia, Japan, Germany, Brazil, and the Netherlands.

Security experts likened Keenadu to Triada, a previously uncovered Android malware family identified in counterfeit, low-cost smartphones distributed through questionable supply chains.

Interestingly, the firmware-based version of Keenadu avoids activation if the device language or timezone corresponds to China, a detail that may hint at its origins. It also disables itself on devices lacking Google Play Store and Play Services.

While the operators are currently leveraging the malware for advertising fraud, researchers warn that its capabilities extend far beyond that. Keenadu can conduct extensive data theft and execute high-risk commands on infected devices.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.

“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

“As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.

A separate variant embedded in system applications offers fewer capabilities but still maintains elevated privileges, enabling it to silently install apps without notifying users. Investigators found one instance hidden within a facial recognition system app used for device unlocking and authentication.

Researchers also detected malicious apps hosted on Google Play, including smart home camera applications that accumulated approximately 300,000 downloads before being removed. When launched, these apps secretly opened hidden browser tabs that navigated to background websites — behavior similar to suspicious APK files previously identified by Dr.Web.

Keenadu has also been traced to firmware in Android tablets from various manufacturers. One affected device, the Alldocube iPlay 50 mini Pro (T811M), contained firmware dated August 18, 2023.

Following customer concerns in March 2024 that Alldocube’s OTA infrastructure had been compromised, the company acknowledged “a virus attack through OTA software” but did not disclose further technical specifics.

Kaspersky’s technical analysis explains that Keenadu manipulates the critical Android library libandroid_runtime.so, allowing it to function “within the context of every app on the device.” Because of this deep-level integration, the malware cannot be removed using conventional Android security tools.

Experts advise users to reinstall a verified clean firmware version specific to their device. Alternatively, installing firmware from reputable third-party sources may help, though it carries the risk of rendering the device unusable if compatibility issues arise. In high-risk cases, replacing the affected device with hardware purchased from trusted vendors and authorized distributors is considered the safest approach.

In an update dated February 18, Google confirmed to BleepingComputer that the malicious apps had been taken down from Google Play.

"Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified." - A Google spokesperson
Read more »
Subscribe to: Comments (Atom)