New Android Backdoor ‘Keenadu’ Discovered in Firmware and Google Play Apps
Newly Discovered Android Malware “Keenadu” Found in Multiple Device Brands
A newly discovered Android malware, dubbed Keenadu, has been found embedded in the firmware of multiple device brands, giving attackers unrestricted control over infected devices.
Discovery and Distribution
According to a report by cybersecurity firm Kaspersky, Keenadu has multiple distribution mechanisms, including compromised firmware images delivered over-the-air, via other backdoors, embedded in system apps, modified apps from unofficial sources, and even through apps on Google Play.
Infected Devices and Capabilities
Kaspersky has confirmed 13,000 infected devices, primarily located in Russia, Japan, Germany, Brazil, and the Netherlands. The malware’s capabilities are extensive, allowing it to infect every app installed on the device, install any app from APK files, and grant them any available permissions.
This enables the attackers to compromise all information on the device, including media, messages, banking credentials, location, and more.
The malware also monitors search queries inputted into the Chrome browser in incognito mode. Notably, Keenadu does not activate if the device’s language or timezone is associated with China, which may indicate its origin. Additionally, the malware stops if the Google Play Store and Play Services are not found on the device.
Embedded in System Apps and Google Play
Kaspersky researchers found the malware embedded in a system app for facial recognition, typically used for unlocking the device and various authorization and authentication actions. They also discovered Keenadu on Google Play, in smart home camera apps that had 300,000 downloads.
When opened, these apps launched invisible web browser tabs within the host app, navigating to websites in the background.
Detection and Removal
The malware’s presence has been detected in the firmware of Android tablets from multiple manufacturers. On one product, the Alldocube iPlay 50 mini Pro (T811M) tablet, the malicious firmware was dated August 18, 2023.
After a customer reported a compromised OTA server and malware insertion in the firmware, the company acknowledged a “virus attack through OTA software” but did not provide information on the type of threat.
Kaspersky’s technical analysis reveals that Keenadu compromises the libandroid_runtime.so component, a core library in the Android system, allowing the malware to operate “within the context of every app on the device.”
Due to its deep embedding in the firmware, Keenadu is impossible to remove using standard Android OS tools. Users are advised to find and install a clean firmware version for their device or consider replacing the device with a product from trusted vendors and authorized distributors.
Conclusion
Keenadu’s capabilities go beyond ad fraud operations, as it is capable of broad-range data theft and risky actions on the compromised device. Kaspersky notes that the malware provides attackers with unlimited control over the victim’s device, making it a significant threat to Android users.
About Author
English