Android Tablet Security Threat: Keenadu Firmware Backdoor via Signed OTA Updates
Android Tablets Infected by Keenadu Firmware Backdoor via Signed OTA Updates
A newly discovered Android backdoor, dubbed Keenadu, has been found embedded in the firmware of various Android tablets, including those from Alldocube. The malware, which was discovered by Kaspersky, is capable of silently harvesting data and remotely controlling the infected device.
Keenadu’s Capabilities
Keenadu is a complex, multi-stage loader that grants its operators unrestricted access to the compromised device. The backdoor is embedded within the tablet’s firmware, and the firmware files carry valid digital signatures. In some cases, the compromised firmware was delivered via over-the-air (OTA) updates.
Once activated, Keenadu loads a copy of itself into the address space of every app launched on the device. The malware can hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements. Telemetry data suggests that over 13,000 users worldwide have encountered Keenadu or its modules, with the majority of the affected users located in Russia, Japan, Germany, Brazil, and the Netherlands.
Discovery and Architecture
Keenadu was first disclosed by Kaspersky in December 2025, and is believed to have been embedded in the firmware of devices during the build phase. The malware is invoked through a function call added to the libandroid_runtime.so shared library, which is loaded during boot. Keenadu checks if it’s running within system apps belonging to Google services or cellular carriers, and aborts execution if so.
The malware also has a kill switch to terminate itself if it finds files with certain names in system directories. If the device is located in a Chinese time zone or if Google Play Store or Google Play Services are absent, Keenadu will also terminate.
Keenadu’s architecture consists of two main components: AKServer and AKClient. AKServer contains the core logic and command-and-control (C2) mechanism, while AKClient is injected into every app launched on the device and serves as a bridge for interacting with AKServer. This client-server architecture enables AKServer to execute custom malicious payloads tailored to the specific app it has targeted.
Malicious Modules and Distribution
Kaspersky has identified several malicious modules associated with Keenadu, including a loader that targets popular online storefronts like Amazon and Shein, a clicker loader that interacts with advertising elements on gaming and news websites, and a Google Chrome module that hijacks search requests.
The discovery of Keenadu is concerning, as it operates within the context of every app on the device, allowing it to gain covert access to all data and render Android’s app sandboxing ineffective. The malware’s ability to bypass permissions used to control app privileges within the operating system turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023. Kaspersky has also identified other distribution vectors, including embedding the Keenadu loader within various system apps, such as the facial recognition service and system launcher, in the firmware of several devices. Additionally, Keenadu has been propagated via trojanized apps for smart cameras on Google Play.
According to Kaspersky, the creators of Keenadu are believed to have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system. The malware is a large-scale, complex platform that provides attackers with unrestricted control over the victim’s device. While Keenadu is currently used primarily for ad fraud, it is possible that it may be used for more malicious purposes in the future, such as stealing credentials.
About Author
English