Keenadu Backdoor

A sophisticated Android backdoor known as Keenadu has been identified embedded deep within device firmware, enabling silent data harvesting and remote control of infected systems. Security researchers uncovered the threat in firmware linked to multiple vendors, including Alldocube, with evidence showing the compromise occurred during the firmware build phase. Keenadu has been present in firmware for the Alldocube iPlay 50 mini Pro since at least August 18, 2023.

In every confirmed case, the malicious code resided within tablet firmware images that carried valid digital signatures, reinforcing the likelihood of supply chain compromise. Some infected firmware packages were distributed via over-the-air (OTA) updates. Once installed, the backdoor injects itself into the memory space of every application at launch, operating as a multi-stage loader that grants attackers unrestricted remote control over the device.

Telemetry indicates that 13,715 users worldwide have encountered Keenadu or its associated modules. The highest concentration of infections has been observed in Russia, Japan, Germany, Brazil, and the Netherlands.

Deep System Manipulation: Exploiting Core Android Processes

Keenadu was publicly disclosed in late December 2025 and described as a backdoor implanted within libandroid_runtime.so, a critical shared library loaded during the Android boot process. Once active, the malware injects itself into the Zygote process, behavior previously observed in the Android malware Triada.

The malicious routine is triggered through a function inserted into libandroid_runtime.so. It first verifies whether it is executing inside system applications associated with Google services or mobile carriers such as Sprint and T-Mobile; if so, execution is halted. A built-in kill switch also terminates the malware when specific file names are detected in system directories.

The backdoor then checks whether it is operating within the privileged system_server process, which governs core system functionality and is launched by Zygote during boot. Depending on the environment, the malware initializes one of two components:

• AKServer, which contains the core command-and-control (C2) logic and execution engine
• AKClient, which is injected into each launched application and acts as a communication bridge to AKServer

This architecture allows attackers to tailor malicious payloads to specific applications. The server component can grant or revoke app permissions, retrieve geolocation data, and exfiltrate device information. Additional safeguards ensure the malware terminates if the device language is set to Chinese within a Chinese time zone, or if the Google Play Store or Google Play Services are absent.

Upon meeting operational criteria, Keenadu decrypts its C2 address and transmits encrypted device metadata. The server responds with an encrypted JSON configuration detailing available payloads. To evade detection and complicate analysis, the backdoor delays payload delivery for approximately two and a half months after the initial device check-in. The attackers rely on Alibaba Cloud as their content delivery infrastructure.

Malicious Modules: Monetization, Hijacking, and Ad Fraud

Keenadu functions as a modular malware platform capable of deploying various specialized components. Identified modules include the following:

• Keenadu Loader targeting popular e-commerce platforms such as Amazon, Shein, and Temu, potentially enabling unauthorized cart manipulation.
• Clicker Loader injected into applications such as YouTube, Facebook, Google Digital Wellbeing, and the Android system launcher to interact fraudulently with advertising elements.
• Google Chrome Module targeting Google Chrome to hijack search queries and redirect them to alternate search engines, though autocomplete selections may sometimes disrupt the hijacking attempt.
• Nova Clicker, embedded within the system wallpaper picker and leveraging machine learning and WebRTC to engage with advertising content. This component was previously analyzed under the codename Phantom by Doctor Web.
• Install Monetization Module, embedded in the system launcher to generate fraudulent advertising revenue by misattributing application installs.
• Google Play Module, which retrieves the Google Ads advertising ID and stores it under the key 'S_GA_ID3' for cross-module tracking and victim identification.

While the current operational focus centers on advertising fraud, the framework's flexibility presents significant potential for credential theft and expanded malicious operations in the future.

Expanding Distribution Channels and Ecosystem Links

Beyond firmware-level implantation, additional distribution vectors have been observed. The Keenadu loader has been embedded within core system applications such as facial recognition services and launchers. Similar tactics were previously associated with Dwphon, which targeted OTA update mechanisms.

Another observed method involves operation within systems already compromised by a separate pre-installed backdoor resembling BADBOX. Infrastructure overlaps have also been identified between Triada and BADBOX, suggesting botnet collaboration. In March 2025, further connections emerged between BADBOX and Vo1d, which targeted off-brand Android TV devices.

Keenadu has also been distributed through trojanized smart camera applications published on Google Play by Hangzhou Denghong Technology Co., Ltd. The affected applications included:

• Eoolii (com.taismart.global) – over 100,000 downloads
• Ziicam (com.ziicam.aws) – over 100,000 downloads
• Eyeplus – Your home in your eyes (com.closeli.eyeplus) – over 100,000 downloads

These applications have since been removed from Google Play. Equivalent versions were also published to the Apple App Store; however, the iOS variants did not contain malicious code, reinforcing the conclusion that Keenadu is specifically engineered to target Android tablets.

Security Implications: A Threat to Android’s Core Trust Model

Keenadu represents a severe threat due to its integration within libandroid_runtime.so, allowing it to operate within the context of every application. This effectively undermines Android's sandboxing model and provides covert access to all device data.

Its capacity to bypass standard permission controls transforms the malware into a full-fledged backdoor with unrestricted system-level authority. The sophistication of the implementation demonstrates advanced expertise in Android architecture, application lifecycle management, and core security mechanisms.

Keenadu stands out as a large-scale and highly complex malware platform capable of delivering persistent and adaptable control over compromised devices. Although currently leveraged primarily for advertising fraud, its architectural depth suggests a credible risk of escalation toward credential theft and broader cybercriminal operations.