Android Tablet Firmware Backdoor Exposed: Multiple Manufacturers Affected
Keenadu: A Sophisticated Android Backdoor Embedded in Firmware
Researchers at Kaspersky have identified a sophisticated Android backdoor, dubbed Keenadu, embedded directly into the firmware of tablets from multiple manufacturers.
Discovery and Investigation
The Keenadu backdoor was discovered during an investigation into previous Android threats and appears to have been inserted into the firmware during the build process, rather than being introduced after devices reached end-users.
This suggests a supply-chain compromise, where a stage of the firmware supply chain was infiltrated, leading to the inclusion of a malicious dependency within the source code.
Malware Architecture and Functionality
The malware’s architecture allows it to inject itself into the Zygote process, a critical system component responsible for launching Android apps.
Once active, the backdoor loads a copy of itself into the address space of every app upon launch, granting its operators unrestricted remote control over the device.
Delivery and Distribution
In some instances, the compromised firmware was delivered to devices via over-the-air (OTA) updates.
Additionally, researchers found that some payloads were hidden within apps distributed through third-party stores and even official app marketplaces, including Google Play.
Affected Devices and Vendors
Kaspersky’s investigation revealed that the firmware of Alldocube iPlay 50 mini Pro tablets contained the Keenadu backdoor, even in versions released after the vendor acknowledged malware reports.
All analyzed firmware files carried valid digital signatures, indicating that the attackers did not simply tamper with updates, but rather integrated the Trojan into the firmware during the build phase.
Recommendations and Mitigation
The affected vendors have been notified and are likely working on pushing out clean firmware updates.
In the meantime, users are advised to check for software updates and implement them as soon as possible.
Until then, researchers recommend not using the infected devices.
Prevalence and Impact
According to Kaspersky’s telemetry, 13,715 users worldwide have encountered Keenadu or its modules, with the highest number of users attacked in Russia, Japan, Germany, Brazil, and the Netherlands.
The researchers have linked the Keenadu threat to other major Android botnet families, including Triada, BadBox, and Vo1d.
The discovery of the Keenadu backdoor highlights the risks associated with supply-chain compromises and the importance of ensuring the integrity of firmware and software updates.