Keenadu: The Android Backdoor Hidden in Firmware

What Is Keenadu?

Keenadu is a firmware-level Android backdoor discovered by researchers at Kaspersky. Firmware is the low-level software that runs before the Android operating system fully loads. It acts as a foundation for everything else on the device.

In this case, attackers modified a core Android system library called libandroid_runtime.so. This library is loaded very early during the boot process and becomes part of the Zygote process, which is essentially the parent process for all Android apps.

Because of that, the malicious code gets loaded into every app that runs on the device. That gives it visibility and influence across the entire system.

This is very different from normal Android malware, which is usually confined to a single app and limited by Android’s permission system.

How Did It Get There?

The most concerning part is how Keenadu appears to have been introduced.

Researchers believe the malicious code was inserted during the firmware build process. In other words, it was added before the devices were shipped to customers. That makes this a supply chain compromise.

Instead of infecting users directly, attackers likely gained access to the development or distribution pipeline and modified the firmware image itself. As a result, affected devices may have come preloaded with the backdoor right out of the box.

In some cases, similar components were also found in system apps and third-party app stores, which suggests multiple distribution paths.

What Can Keenadu Do?

Keenadu functions as a multi-stage backdoor. Once active, it can:

• Communicate with a remote command-and-control server
• Download and execute additional modules
• Inject itself into running apps
• Interact with Android’s internal services
• Potentially manipulate permissions

So far, researchers observed modules related to ad fraud, such as hijacking search results and generating revenue through unwanted ad interactions.

However, the underlying capabilities go much further. Because the backdoor operates at such a deep level, it could theoretically be used to collect sensitive information, install additional malware, or remotely control parts of the device.

The ad fraud activity may simply be a way to monetize access rather than the full extent of its potential.

Why Firmware Malware Is So Serious

Firmware-level threats are particularly dangerous for a few reasons:

• They load before the operating system fully starts.
• They operate below the level where most security tools run.
• They often survive factory resets.

Traditional antivirus apps and Google Play Protect focus on applications. They are not designed to detect modifications inside core system libraries.

In many cases, the only reliable way to remove firmware-level malware is to reflash the device with a clean, verified firmware image. For average users, that is not always simple or even possible.

Who Is Affected?

Reports indicate that infections were primarily found on lower-cost Android tablets and devices from lesser-known manufacturers. Thousands of affected devices have been identified across multiple countries.

Major premium brands do not appear to be linked to this specific campaign, but the incident highlights a broader risk in the Android ecosystem, especially within complex global supply chains.

What This Means for Users

Keenadu is a reminder that security risks do not always come from something you download. Sometimes the issue can exist long before the device reaches your hands.

If you are buying budget Android hardware:

• Purchase from reputable vendors
• Check for official firmware updates from the manufacturer
• Be cautious of devices that show unusual behavior such as unexplained ads or strange network activity
• Avoid unofficial firmware or ROM sources

For organizations that deploy Android devices at scale, supply chain verification and firmware integrity checks are becoming increasingly important.

References