According to new findings from Kaspersky, a new Android backdoor deeply embedded in device firmware can silently collect data and remotely control its behavior.
Russian cybersecurity vendor said it has discovered the backdoor, dubbed kinaduIn the firmware of connected devices of various brands, including AlldoCube, with compromises occurring during the firmware creation phase. Keenadu has been found in AlldoCube iPlay 50 Mini Pro firmware dated August 18, 2023. In all cases, the backdoor is embedded within the tablet firmware, and the firmware files contain valid digital signatures. The names of other vendors were not disclosed.
“In many cases, the compromised firmware was distributed with OTA updates,” security researcher Dmitry Kalinin said in a detailed analysis published today. “A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader that provides its operators with unrestricted ability to remotely control a victim’s device.”
Some payloads received by Keenadu allow it to hijack search engines in browsers, monetize new app installs, and surreptitiously interact with advertising elements. One of the payloads has been found embedded in several standalone apps distributed through third-party repositories as well as official app marketplaces like Google Play and Xiaomi GetApps.
Telemetry data shows that 13,715 users worldwide have encountered Keenadu or its modules, with the majority of users attacked by the malware located in Russia, Japan, Germany, Brazil, and the Netherlands.
Kinadu was first disclosed by Kaspersky in late December 2025, described as a backdoor in libandroid_runtime.so, a critical shared library in the Android operating system that is loaded during boot. Once it is activated on an infected device, it is injected into the Zygote process, a behavior also seen in another Android malware called Triada.
The malware is invoked via a function call added to libandroid_runtime.so, after which it checks whether it is running within system apps related to Google services or cellular carriers like Sprint or T-Mobile. If yes, the execution is aborted. It also has a kill switch to terminate itself when it finds files with certain names in system directories.
“Next, the Trojan checks if it is running within the system_server process,” Kalinin said. “This process controls the entire system and has maximum privileges; it is launched by the Zygote process when it starts.”
If this check is true, the malware proceeds to create an instance of the AKServer class. Otherwise, it creates an instance of the AKClient class. The AKServer component contains the core logic and command-and-control (C2) mechanism, while the AKClient is injected into every app launched on the device and acts as a bridge to interact with AKServer.
This client-server architecture enables AKServer to execute custom malicious payloads tailored to the specific app it targets. AKServer also exposed another interface that malicious modules downloaded in the context of other apps can use to grant or revoke permission to an arbitrary app on the device, obtain the current location, and extract device information.
The AKServer component is also designed to run a series of checks that cause malware to be eliminated if the interface language is Chinese and the device is located within the Chinese time zone, or if the Google Play Store or Google Play services are absent from the device. Once the required criteria are satisfied, the Trojan decrypts the C2 address and sends the device metadata to the server in an encrypted format.
In response, the server returns an encrypted JSON object containing details about the payload. However, in what appears to be an effort to complicate analysis and avoid detection, an additional check built into the backdoor prevents the C2 server from serving any payload until 2.5 months have passed since the initial check-in.
“The attacker’s server provides information about the payload in the form of an object array,” Kaspersky explained. “Each object contains a download link for the payload, its MD5 hash, the target app package name, the target process name, and other metadata. Specifically, the attackers chose Amazon AWS as their CDN provider.”
Some of the identified malicious modules are listed below –
- keenadu loaderWhich targets popular online storefronts like Amazon, Shein and Teemu to deliver unspecified payloads. However, it is suspected that they make it possible to add items to the apps’ shopping carts without the victim’s knowledge.
- clicker loaderWhich has been injected into YouTube, Facebook, Google Digital Wellbeing and the Android system launcher to deliver payloads that can interact with advertising elements on gaming, recipes and news websites.
- google chrome moduleWhich targets the Chrome browser to hijack search requests and redirect them to a different search engine. However, it is worth noting that a hijacking attempt may fail if the victim chooses one of the autocomplete suggestions based on the keywords entered in the address bar.
- nova clickerThe system is embedded within the wallpaper picker and uses machine learning and WebRTC to interact with ad elements. The same component was named Phantom by Dr. Webb in an analysis published last month.
- set up monetizationWhich is embedded in the system launcher and monetizes app installations by tricking advertising platforms into believing that an app was installed from a legitimate advertising tap.
- google play moduleWhich retrieves the Google Ads advertising ID and stores it under the key “S_GA_ID3” for possible use by other modules to uniquely identify a victim.
Kaspersky said it has also identified other Kinadu distribution vectors, including embedding the Kinadu loader within various system apps, such as a facial recognition service and the system launcher, in the firmware of many devices. This tactic has been seen in another Android malware known as Dwphon, which was integrated into system apps responsible for OTA updates.
The second method relates to a Keenadu loader artifact that is designed to operate within a system where the system_server process was already compromised by a different pre-installed backdoor that shares similarities with BADBOX. Not only this. Keenadu has also been detected to be promoted through trojanized apps for smart cameras on Google Play.
The names of the apps published by the developer named Hangzhou Denghong Technology Co., Ltd. are as follows –
- Eoolii (com.taismart.global) – 100,000+ downloads
- Ziicam (com.ziicam.aws) – 100,00+ downloads
- EyePlus – Your Home in Your Eyes (com.closeli.eyeplus) – 100,000+ downloads
Although these apps are no longer available for download from Google Play, the developer has also published the same set of apps on the Apple App Store. It is unclear whether the iOS counterparts include Keenadu functionality. Hacker News has contacted Kaspersky for comment, and we will update the story if we hear back. That said, Keenadu is believed to be primarily designed to target Android tablets.
In some cases BADBOX serves as the distribution vector for Keenadu, further analysis also revealed infrastructure connections between Triada and BADBOX, indicating that these botnets are interacting with each other. In March 2025, HUMAN said it identified overlap between BADBOX and Vo1d, an Android malware that targets off-brand Android-based TV boxes.
Keenadu’s discovery is troubling for two main reasons –
- Given that the malware is embedded in libandroid_runtime.so, it works in the context of every app on the device. This allows him to gain covert access to all data and make Android’s app sandboxing ineffective.
- The malware’s ability to bypass the permissions used to control app privileges within the operating system turns it into a backdoor that grants attackers unfettered access and control over the compromised device.
“Developers of backdoors pre-installed in Android device firmware have always stood out for their high level of expertise,” Kaspersky concluded. “This is still true for Keenadu: the creators of the malware have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system.”
“Kinadu is a large-scale, complex malware platform that grants attackers unrestricted control over a victim’s device. Although we have currently shown that the backdoor is primarily used for various types of ad fraud, we do not rule out that in the future, the malware could follow in Triada’s footsteps and start stealing credentials.”
