Keenadu Backdoor Infects Android Firmware and Google Play Apps
▼ Summary
– Keenadu is a sophisticated Android malware embedded in device firmware, granting attackers unlimited control and the ability to infect every installed app on a device.
– It spreads through multiple channels, including compromised over-the-air firmware updates, system apps, unofficial app sources, and apps on Google Play.
– The malware’s firmware-based variant avoids activation on devices with Chinese language or timezone settings and when Google Play services are absent.
– As of February 2026, Kaspersky confirmed 13,000 infections, with the malware capable of broad data theft and ad fraud, though removal requires installing clean firmware.
– Google has removed the malicious apps from Play Store, and Google Play Protect can warn users about known versions of the malware.
A newly identified and highly advanced Android malware, known as Keenadu, has been discovered deeply embedded within the firmware of various device brands. This sophisticated backdoor grants attackers unrestricted control over infected devices, compromising every installed application and posing a severe threat to user data and privacy.
Cybersecurity analysts at Kaspersky have detailed the malware’s multiple distribution channels. These include compromised firmware delivered through over-the-air (OTA) updates, other existing backdoors, pre-installed system applications, and modified apps from unofficial sources. Alarmingly, Keenadu has also been distributed through apps available on the official Google Play store. Several variants exist, with the most powerful being the firmware-integrated version. As of February 2026, researchers have confirmed infections on approximately 13,000 devices, with significant concentrations in Russia, Japan, Germany, Brazil, and the Netherlands.
The malware’s sophistication draws comparisons to the Triada family, previously found in counterfeit Android phones. The firmware-based variant exhibits specific avoidance behaviors; it will not activate if the device’s language or timezone is set to values associated with China, potentially hinting at its origin. It also halts operation if Google Play Store and Play Services are absent. While its operators currently focus on ad fraud, Kaspersky warns that Keenadu’s capabilities extend to broad-range data theft and other high-risk actions on compromised devices.
This backdoor provides attackers with unlimited control, enabling them to infect every app on a device, silently install any application from APK files, and grant those apps any available permissions. Consequently, all information, including media files, messages, banking credentials, and location data, is at risk. The malware even monitors search queries entered into the Chrome browser while in incognito mode. A less functional variant, embedded within system apps, still possesses elevated privileges to install software without user notification. Researchers found one instance hidden inside a system-level facial recognition app used for device unlocking and authentication.
The discovery of Keenadu on Google Play involved smart home camera applications that had amassed around 300,000 downloads before being removed. When launched, these apps opened invisible browser tabs within the host application to navigate to websites in the background, a tactic similar to other malicious APKs identified earlier this year. The malware has also been confirmed in the firmware of Android tablets from multiple manufacturers. On the Alldocube iPlay 50 mini Pro tablet, the malicious firmware was dated August 2023. Following user reports in March 2024 about a compromised OTA server, the company acknowledged a “virus attack through OTA software” but did not specify the threat.
A technical analysis reveals that Keenadu compromises the `libandroid_runtime.so` component, a core Android system library. This deep integration allows the malware to operate within the context of every application on the device. Because the malware is embedded so deeply in the firmware, standard Android tools cannot remove it. Experts recommend users locate and install a clean, official firmware version for their specific device model. Installing reputable third-party firmware is an alternative, though it carries the risk of bricking the device due to incompatibility. For maximum safety, discontinuing use of the infected device and replacing it with a product from trusted, authorized vendors is advised.
In a subsequent statement, Google confirmed the removal of the malicious apps from Google Play. A spokesperson noted, “Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified.”
(Source: Bleeping Computer)
