Keenadu Android Backdoor Embedded in Firmware Grants Hackers Full Control Over 13,000 Devices
scsecFebruary 20, 20262 Mins read 
Here is your rewritten article with all key points included, followed by 10 alternative headlines.
Keenadu Backdoor Discovered in Android Firmware and Google Play Apps
Security researchers have uncovered a sophisticated Android backdoor called Keenadu that has been embedded directly into device firmware and distributed through Google Play apps, giving attackers extensive control over infected devices.
According to cybersecurity firm Kaspersky, Keenadu spreads through multiple channels, including compromised over-the-air (OTA) firmware updates, other backdoors, system applications, modified apps from unofficial sources, and even apps hosted on Google Play.
As of February 2026, more than 13,000 infected devices have been confirmed, with cases reported in Russia, Japan, Germany, Brazil, and the Netherlands.
Firmware-Level Infection With Deep System Control
Keenadu exists in several variants, with the most dangerous version embedded directly into firmware. This version integrates deeply into the Android operating system, making it nearly impossible to remove using standard tools.
Researchers found that Keenadu compromises the libandroid_runtime.so component — a core Android library — allowing it to operate within the context of every app installed on the device. This gives attackers unrestricted access and control.
The malware can:
- Infect every installed app
- Install APK files silently
- Grant apps any requested permissions
- Access media, messages, banking credentials, and location data
- Monitor Chrome search queries, even in incognito mode
Kaspersky described Keenadu as a fully functional backdoor capable of unlimited device control.
Interestingly, the firmware-based variant does not activate if the device’s language or timezone is set to China, which may indicate clues about its origin. It also disables itself if Google Play Store and Play Services are not present.
Spread Through System Apps and Google Play
A less powerful variant of Keenadu was found embedded inside system applications, including a facial recognition app used for unlocking devices and authentication. Even though this version has fewer capabilities, it can still silently install applications without user notification due to elevated privileges.
Kaspersky also discovered Keenadu loader apps on Google Play, including smart home camera apps that had accumulated around 300,000 downloads before being removed.
When launched, these apps opened invisible browser tabs in the background, navigating to websites without user knowledge — activity similar to previously identified malicious APK campaigns.
Following the disclosure, Google confirmed that the malicious apps were removed from Google Play.
Links to Compromised Firmware and Supply Chain Risks
Kaspersky compared Keenadu to the Triada malware family, which was previously found in counterfeit Android devices distributed through questionable supply chains.
The researchers detected Keenadu embedded in firmware on Android tablets from multiple manufacturers. One confirmed case involved the Alldocube iPlay 50 mini Pro, where the infected firmware image was dated August 18, 2023.
In March 2024, a customer reported that the OTA update server for Alldocube devices had been compromised, allowing attackers to insert malware into firmware updates. The company acknowledged a “virus attack through OTA software” but did not provide further details.
Removal Challenges and Safety Recommendations
Because Keenadu is embedded at the firmware level, it cannot be removed using standard Android security tools or factory resets.
Kaspersky recommends:
- Installing a clean, verified firmware version from the manufacturer
- Using reputable third-party firmware only with caution, due to potential device incompatibility
- Replacing the device entirely with one purchased from trusted vendors and authorized distributors
Google stated that users are protected against known Keenadu variants by Google Play Protect, which is enabled by default on devices running Google Play Services. Play Protect can warn users and disable malicious apps, even those installed from outside Google Play.
Users are encouraged to ensure their devices are Play Protect certified for optimal protection.
1 Comment
Leave a Reply
Related Articles
Fake Android Antivirus App TrustBastion Steals Banking Credentials and Sensitive Data
Fake Android Antivirus App TrustBastion Steals Banking Credentials A new Android malware...
Fake CAPTCHA Scam Deploys StealC Malware to Steal Passwords, Crypto, and Windows Data
Fake CAPTCHA Scam Tricks Windows Users Into Installing StealC Malware A new...
Severe Flaws in Bitwarden, LastPass, and Dashlane Put 60 Million Users at Risk, Researchers Warn
Researchers Urge Password Manager Giants to Strengthen Security After Severe Flaws Discovered...
Chinese State-Backed Hackers Exploit Critical Dell Zero-Day to Gain Stealthy Root Access Since 2024
Here is your rewritten article with all key points included, followed by...
his is a serious and alarming discovery. Firmware-level malware like Keenadu shows how supply chain attacks are becoming more advanced and harder to detect. Users should be extremely cautious when purchasing low-cost devices and always ensure their firmware updates come from trusted sources. It’s good to see Google removing malicious apps quickly, but this highlights the need for stronger security controls at the firmware level.