Full Report
In a report released this week, Russian cybersecurity firm Kaspersky said it uncovered a previously undocumented backdoor dubbed Keenadu that is built directly into a device’s core software, allowing it to load into every application launched on the tablet.
Analysis Summary
# Tool/Technique: Keenadu Backdoor
## Overview
Keenadu is a sophisticated Android backdoor discovered by Kaspersky in early 2026. It is primarily characterized by its integration into the core firmware of Android tablets (specifically Alldocube and other unnamed manufacturers) during the manufacturing or distribution stage. This supply-chain compromise allows the malware to gain unrestricted control over the device and persist through standard security cleanups and factory resets.
## Technical Details
- **Type:** Malware Family (Backdoor / Trojan)
- **Platform:** Android
- **Capabilities:** Persistence via firmware integration, advertising fraud, information theft, and shopping cart manipulation.
- **First Seen:** Publicly reported February 18, 2026 (Estimated over 13,000 victims prior to report).
## MITRE ATT&CK Mapping
- **[TA0027 - Persistence]**
- **[T1398 - Modification of ROM or System Partition]**: Directly integrated into the device core software/ROM.
- **[TA0029 - Credential Access]**
- **[T1417 - Input Capture]**: Monitoring interactions and application data.
- **[TA0030 - Discovery]**
- **[T1426 - System Information Discovery]**: Checks time zones and language settings (Geofencing).
- **[TA0034 - Impact]**
- **[T1473 - Financial Theft]**: Generating fraudulent ad revenue and modifying marketplace carts.
- **[TA0032 - Collection]**
- **[T1636 - Protected User Data]**: Accessing data within other launched applications.
## Functionality
### Core Capabilities
- **Universal Loading:** Injects itself into every application launched on the infected tablet.
- **Ad Fraud:** Hijacks browser search engines and interacts with advertising components to generate revenue.
- **App Monitoring:** Monitors the installation of new applications and intercepts system events.
- **Shopping Manipulation:** Automatically adds items to marketplace shopping carts without user consent.
### Advanced Features
- **Supply Chain Integration:** Embedded at the firmware build stage, likely through a compromised vendor environment.
- **Geofencing/Evasion:** Terminates execution if the device language is set to Chinese or if the device is located in a Chinese time zone.
- **Dependency Check:** Remains inactive on devices missing Google Play Store or Google Play Services.
- **Persistence:** Survives system updates (OS updates from vendors have been found to remain infected).
## Indicators of Compromise
- **File Hashes:** Specific hashes not provided in the article; refer to Kaspersky's technical report "Keenadu Android Backdoor."
- **File Names:** Frequently found within a facial recognition app used for device unlocking.
- **Network Indicators:** (Examples based on behavior; specific C2s not listed in the summary)
- Search engine redirection to unauthorized domains.
- Unusual traffic to advertising API endpoints.
- **Behavioral Indicators:**
- Presence of unrecognized items in retail shopping carts.
- Automated installation of unwanted applications.
- Persistent malware detection in system partitions.
## Associated Threat Actors
- **Unknown:** No specific attribution has been made, though researchers note the developers possess high-level expertise in Android architecture and security principles.
## Detection Methods
- **Signature-based detection:** Mobile security suites (like Kaspersky) can identify Keenadu modules.
- **Behavioral detection:** Monitoring for unauthorized modifications to browser settings or automated UI interactions.
- **Firmware Integrity Checking:** Comparing current device firmware against known-good hashes from the original manufacturer (though difficult if the vendor's source is compromised).
## Mitigation Strategies
- **Hardware Sourcing:** Procurement of devices from trusted, verified supply chains.
- **Clean Installation:** If infected, flash the device with a verified "clean" firmware version from a trusted developer community or a non-compromised official source.
- **Device Replacement:** In cases where the malware is deeply integrated into the ROM and no clean firmware is available, replacing the device is the only guaranteed remediation.
- **Monitoring:** Utilize Mobile Threat Defense (MTD) solutions to detect anomalous system-level behavior.
## Related Tools/Techniques
- **Triada:** A similar firmware-level Trojan (2025) used for credential theft and ad fraud on counterfeit Android devices.
- **Supply Chain Compromise (T1195):** The general technique of infecting hardware before it reaches the end user.