Kaspersky has identified a sophisticated Android backdoor named Keenadu that is embedded directly into device firmware to harvest data and enable remote control. This malware, which has affected thousands of users globally, is integrated during the firmware build phase and can even be delivered through official over-the-air updates.

Security researchers discovered that Keenadu hides within a critical system library and injects itself into every application upon launch to grant attackers unrestricted access to the device. By compromising the core startup processes of the operating system, the backdoor gains maximum privileges while specifically avoiding detection on certain carrier networks or in specific geographic regions. This deep level of integration allows the malware to manipulate system functions and exfiltrate sensitive information without the user ever realizing the device is compromised.

The infection has been confirmed in tablet firmware for brands like Alldocube, with some compromised versions dating back to mid-2023. Because the malware is baked into the firmware and carries valid digital signatures, it is exceptionally difficult for standard security software to detect or remove. Once active, it utilizes a complex client-server architecture inside the device to bridge communications between infected apps and a central control module. This setup allows the operators to push custom malicious payloads that can hijack web searches, monetize app installations, and interact with advertisements silently.

Analysis of the code reveals that the malware is highly selective about its environment, performing various checks to ensure it is not running on devices without Google services or in specific time zones. If the environment meets the attackers' criteria, the backdoor decrypts a command server address and begins transmitting encrypted device metadata. Beyond simple data theft, the malware can grant or revoke app permissions and track the precise location of the user by leveraging its high-level system access.

Current data indicates that over thirteen thousand users across Russia, Japan, Germany, Brazil, and the Netherlands have been targeted by this campaign. While some modules have been found in standalone apps on third-party repositories, the most dangerous versions are those pre-installed on the hardware itself. This supply chain compromise ensures the malware persists even after factory resets, as the malicious code is part of the foundational software required to run the tablet.

The discovery highlights a growing trend of supply chain attacks targeting the Android ecosystem at the manufacturing level. By compromising the build phase of the firmware, attackers bypass the security boundaries typically enforced by the operating system. This method effectively turns the device against its owner from the first time it is powered on, making the identification of trusted hardware providers more critical than ever for global consumers.

Source: Keenadu Firmware Backdoor Infects Android Tablets Via Signed OTA Updates