Kaspersky Uncovers Keenadu Backdoor Pre-Installed in Android Firmware Across Multiple Device Brands
Kaspersky researchers have identified a new Android malware family called Keenadu that is being distributed through compromised device firmware, system apps, and even Google Play — giving attackers complete control over infected devices and the ability to compromise every application installed on them.
As of February 2026, Kaspersky has confirmed 13,000 infected devices concentrated in Russia, Japan, Germany, Brazil, and the Netherlands.
Deep Firmware Integration
Keenadu exists in multiple variants, but the most dangerous is the firmware-embedded version. By compromising libandroid_runtime.so — a core Android system library — the malware operates within the context of every app on the device. This level of integration means it cannot be removed using standard Android tools.
The firmware variant's capabilities are extensive:
- Full device control — install any app from APK files and grant arbitrary permissions without user interaction
- Total data access — media, messages, banking credentials, location data
- Browser surveillance — monitors Chrome search queries including incognito mode
- Universal app compromise — infects every installed application on the device
Kaspersky compares Keenadu to Triada, another firmware-level Android malware they discovered in counterfeit devices last year, though Keenadu's distribution is broader and its capabilities more refined.
Multiple Distribution Vectors
Unlike typical Android malware that relies on a single infection path, Keenadu spreads through an unusually wide range of channels:
- Compromised firmware images delivered via over-the-air (OTA) updates
- Pre-installed system apps — researchers found it embedded in a facial recognition app used for device unlock and authentication
- Google Play — discovered in smart home camera apps with 300,000 combined downloads (since removed)
- Modified apps from unofficial sources
- Other backdoors already present on compromised devices
The Google Play variants launched invisible browser tabs within the host app to navigate to websites in the background — activity consistent with ad fraud operations, though the malware's full capabilities extend far beyond monetization.
Supply Chain Compromise Confirmed
Kaspersky identified Keenadu in the firmware of Android tablets from multiple manufacturers. On the Alldocube iPlay 50 mini Pro (T811M), the malicious firmware was dated August 2023. After a customer reported in March 2024 that the company's OTA server had been compromised, Alldocube acknowledged "a virus attack through OTA software" but provided no further details on the threat.
This confirms that at least one infection vector involved direct compromise of a manufacturer's update infrastructure — a supply chain attack that delivered the backdoor to devices through legitimate update channels.
Possible Chinese Origin
The firmware variant includes a notable behavioral indicator: it deactivates if the device language or timezone is associated with China. It also requires the Google Play Store and Play Services to be present — services that are not available on devices sold in mainland China. Kaspersky notes this may represent a clue about the malware's origin.
Remediation
Because Keenadu embeds itself at the firmware level, standard malware removal tools are ineffective. Kaspersky recommends:
- Find and install a clean firmware image for the affected device
- Install firmware from a reputable third-party as an alternative, though this carries a risk of bricking the device
- Replace the device entirely with a product from trusted vendors and authorized distributors — the safest option
