Kaspersky discovered a sophisticated Android backdoor named Keenadu embedded in device firmware that can silently harvest data and remotely control infected tablets. The backdoor is injected via libandroid_runtime.so into the Zygote process, uses a client-server AKServer/AKClient architecture to load malicious modules, and has been observed in Alldocube firmware and other undisclosed vendors, impacting over 13,700 users worldwide. #Keenadu #Alldocube
Keypoints
- Keenadu is embedded in libandroid_runtime.so and injects into the Zygote process to run in every app’s context.
- The malware implements an AKServer/AKClient architecture to deliver payloads, exfiltrate data, and modify app permissions.
- Identified modules hijack Chrome searches, manipulate ads, monetize installs, and target popular storefronts and apps.
- Distribution vectors include compromised firmware delivered via OTA updates, trojanized apps on Google Play, and preinstalled system apps.
- Kaspersky telemetry indicates 13,715 encounters, with most victims located in Russia, Japan, Germany, Brazil, and the Netherlands.
Read More: https://thehackernews.com/2026/02/keenadu-firmware-backdoor-infects.html