Full Report
A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu, in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase.
Analysis Summary
# Incident Report: Keenadu Firmware Backdoor
## Executive Summary
Keenadu is a sophisticated Android backdoor embedded deep within device firmware, specifically targeting the `libandroid_runtime.so` library. Discovered by Kaspersky, the malware is integrated during the firmware build phase, allowing it to persist across official, digitally signed Over-the-Air (OTA) updates. The impact is significant, granting attackers unrestricted remote control over affected devices and the ability to inject malicious code into every launched application.
## Incident Details
- **Discovery Date:** Late December 2025 (Initial disclosure); Full analysis Feb 17, 2026.
- **Incident Date:** Earliest detected instance August 18, 2023.
- **Affected Organization:** Alldocube (confirmed); additional undisclosed vendors.
- **Sector:** Consumer Electronics / Mobile Hardware.
- **Geography:** Global (Primary impact in Russia, Japan, Germany, Brazil, and the Netherlands).
## Timeline of Events
### Initial Access
- **Date/Time:** August 2023 (Earliest known build).
- **Vector:** Supply Chain Compromise.
- **Details:** The backdoor was inserted into the Android firmware during the manufacturing/build phase before official digital signing.
### Lateral Movement
- **Mechanism:** Once the device boots, the malware is injected into the **Zygote** process. As Zygote is the parent process for all Android apps, the malware automatically loads a "Client" module into the address space of every single application launched by the user.
### Data Exfiltration/Impact
- **Details:** The malware harvests device metadata, monitors location, and hijacks browser search engines. It stealthily interacts with ads and installs unauthorized applications to monetize the infection.
### Detection & Response
- **Discovery:** Detected by Kaspersky telemetry and confirmed through exhaustive analysis of the `libandroid_runtime.so` shared library.
- **Response Actions:** Public disclosure by security researchers; notification of telemetry-affected users (approx. 13,715).
## Attack Methodology
- **Initial Access:** Supply chain injection during the firmware compilation process.
- **Persistence:** Embedded in core system libraries; survives factory resets and official OTA updates.
- **Privilege Escalation:** Injects into `system_server` via Zygote, gaining maximum system privileges.
- **Defense Evasion:** Uses valid digital signatures; includes a "kill switch" for specific system directories; employs a 2.5-month "dormancy" period before contacting the C2 server.
- **Credential Access:** Not explicitly detailed, but capable of monitoring all app interactions.
- **Discovery:** Scans for Google Play Services, cellular carrier apps (Sprint/T-Mobile), and checks system language/timezone (it terminates if Chinese).
- **Lateral Movement:** Inter-process injection from `system_server` to all individual user applications.
- **Collection:** Exfiltrates device metadata, location, and application-specific data.
- **Exfiltration:** Encrypted JSON payloads sent via a decrypted C2 address.
- **Impact:** Remote command execution, search engine hijacking, and unauthorized app monetization.
## Impact Assessment
- **Financial:** Monetization via ad fraud and silent app installations.
- **Data Breach:** Harvests sensitive device information and real-time location.
- **Operational:** Devices are permanently compromised at the hardware-software boundary; remediation requires a clean firmware reflash (if available).
- **Reputational:** Significant brand damage to Alldocube and other affected vendors due to "trusted" signed updates being malicious.
## Indicators of Compromise
- **File indicators:**
- Compromised `libandroid_runtime.so`
- Presence of `AKServer` and `AKClient` classes within system processes.
- **Behavioral indicators:**
- System-level processes communicating with unknown external C2 servers after a 2.5-month delay.
- Automated interaction with advertising elements within the browser/apps.
## Response Actions
- **Containment:** Detection of malware modules in third-party and official app stores (Google Play, Xiaomi GetApps) for removal.
- **Eradication:** Users must be wary of firmware versions dated after August 2023; researchers are working with vendors to identify clean build paths.
## Lessons Learned
- **Trust Refinement:** Valid digital signatures on firmware are no longer a guarantee of integrity if the build environment itself is compromised.
- **Detection Gaps:** Traditional mobile antivirus may struggle to detect malware residing in the `libandroid_runtime.so` library as it loads before many security services.
- **Delayed Payloads:** The 2.5-month dormancy period highlights the need for long-term behavioral monitoring of "clean" devices.
## Recommendations
- **For Manufacturers:** Implement stricter integrity checks and "Hardware Root of Trust" mechanisms during the build and signing pipeline.
- **For Users:** Avoid purchasing low-cost tablets from vendors with unverified supply chains; monitor device behavior for unusual ad activity or search engine changes.
- **For Analysts:** Perform deep-dive forensic analysis on system-level `.so` (shared object) files during routine mobile audits.