Android Tablet Firmware Backdoor Exposes Multiple Brands
▼ Summary
– A new Android backdoor named Keenadu was discovered embedded in device firmware, allowing it to take control of apps and harvest data.
– The malware was inserted during the firmware build process, not after distribution, indicating a supply-chain compromise at the vendor level.
– Once active, the backdoor injects itself into every launched app, granting remote operators unrestricted control over the victim’s device.
– The malware’s capabilities include redirecting browser searches, tracking app installs for profit, and interacting with advertising elements.
– Over 13,000 users worldwide have been affected, with the highest attack numbers in Russia, Japan, Germany, Brazil, and the Netherlands.
A significant security threat has emerged targeting Android tablets, where a sophisticated backdoor was found embedded directly into the device firmware during manufacturing. This malware, identified by researchers as Keenadu, grants attackers remote control over infected devices, allowing them to manipulate apps and steal sensitive data. The discovery highlights a critical supply-chain vulnerability, indicating the compromise occurred before the tablets ever reached consumers.
Security analysts uncovered the malicious code within the firmware of tablets from multiple brands. The infection took place during the firmware build phase, where a harmful library was linked to a core system component. Once active on a device, the malware injects itself into a fundamental Android process, mirroring techniques used by older threats like Triada. In several cases, users received the compromised code through official over-the-air (OTA) system updates. A copy of the backdoor loads into every application launched on the device. This multi-stage loader provides its operators with extensive, remote control over the victim’s tablet.
Intercepted modules revealed the backdoor’s capabilities, which include redirecting web browser searches, tracking app installations for financial gain, and interacting with on-screen advertisements. Additional malicious payloads were also found concealed within applications distributed through third-party stores and, in some instances, official marketplaces like Google Play.
The investigation into how the firmware was compromised led researchers to publicly available firmware images for Alldocube iPlay 50 mini Pro tablets. Every version examined, including those released after the vendor was alerted to the malware, still contained the backdoor. All analyzed firmware files bore valid digital signatures, suggesting attackers did not merely tamper with finished updates. The evidence strongly indicates the Trojan was integrated during the build process. This points to a supply-chain attack, where one stage of the firmware production was compromised, leading to malicious code being included in the source code. Consequently, the device manufacturers may have been completely unaware their products were infected before shipping.
Affected vendors have been notified and are presumably working on releasing clean firmware updates. While Kaspersky did not publicly name all involved brands beyond Alldocube, users are strongly advised to check for and install any available software updates immediately. Until a fix is applied, researchers recommend avoiding the use of infected devices.
The Keenadu malware has also been detected within various pre-installed system apps on several devices, in tampered versions of popular apps from unofficial sources, and in apps found on Xiaomi’s GetApps store. Removing the malicious system apps is not straightforward for users, as they reside in a protected system partition, though they can sometimes be disabled or replaced. Other infected applications can be uninstalled normally.
Global telemetry data shows that over 13,700 users have encountered Keenadu or its components, with the highest number of attacks recorded in Russia, Japan, Germany, Brazil, and the Netherlands. Researchers have linked the Keenadu operation to other major Android botnet families, including Triada, BadBox, and Vo1d, suggesting a connected ecosystem of mobile threats.
(Source: HelpNet Security)
