Cybersecurity researchers discovered a dangerous backdoor hidden in Android tablet firmware. They named it Keenadu. This malware sneaks in during the build process and survives OTA updates.
Deep Firmware Infection
Keenadu embeds inside libandroid_runtime.so. This critical library loads at boot. It injects into the Zygote process. Therefore, every app runs with the backdoor active. The firmware carries valid digital signatures. This makes updates look legitimate. Attackers compromised devices from several brands. One known example is Alldocube iPlay 50 mini Pro since August 2023.
The backdoor uses a client-server setup. AKServer runs in system_server with full privileges. AKClient injects into every launched app. This bridge lets AKServer control specific apps. It checks conditions before running. For example, it skips if the language is Chinese or no Google services exist. It also aborts in certain carrier apps. A 2.5-month delay hides payloads from early analysis.
The C2 server sends encrypted JSON with payload details. Alibaba Cloud hosts these files. Modules include Keenadu loader for shopping apps. It adds items to carts silently on sites like Amazon or Temu.
Clicker modules target YouTube and Facebook. They interact with ads on gaming or news sites. Nova clicker uses machine learning for ad fraud. Install monetization tricks ad networks about app downloads.
Distribution Methods
Keenadu spreads through OTA updates. It hides in system apps like facial recognition. Some cases link to pre-existing BADBOX infections. Trojanized smart camera apps on Google Play also delivered it.
Three apps from one developer reached over 100,000 downloads each. They posed as camera tools. The developer published similar apps on the Apple App Store. However, iOS versions lack the malicious code.
Global Impact and Risks
Telemetry shows over 13,700 affected users worldwide. Most hits occurred in Russia, Japan, Germany, Brazil, and the Netherlands. The backdoor bypasses Android sandboxing. It accesses all app data freely.
Permissions lose meaning with this deep access. Attackers gain full device control. Currently, it focuses on ad fraud. However, experts warn it could steal credentials later like similar malware.
Prevention Strategies
Users and organizations can protect devices with careful steps. First, enable Google Play Protect and keep it active for automatic warnings. Avoid sideloading apps or installing from unknown sources.
Moreover, use continuous monitoring to detect unusual accessibility changes, network connections to suspicious servers, or unexpected app behaviors early. Regularly check for firmware updates from trusted sources only. These actions significantly lower the risk of firmware-level backdoors like Keenadu compromising devices.
Sleep well, we got you covered.
