Sophisticated Malware Found in Android Device Firmware

- The malware, named Keenadu, was likely integrated into the firmware during the manufacturing process, indicating a supply-chain compromise where a malicious dependency was added to the source code. This means devices were infected before they reached consumers. - Keenadu injects itself into the Zygote process, which is the parent of all application processes in Android. This allows the malware to operate within the context of every app on the device, effectively bypassing Android's app sandboxing and permission controls. - One of the identified device manufacturers affected is Alldocube, specifically their iPlay 50 mini Pro tablet. Kaspersky noted that even firmware updates released after the manufacturer acknowledged the issue still contained the backdoor. - The malware functions as a multi-stage loader, giving operators remote control to execute various payloads. Observed malicious activities include hijacking browser searches, monetizing app installations, and interacting with advertisements. - Because Keenadu is embedded in the core `libandroid_runtime.so` library within the read-only system partition, it cannot be removed through standard methods like a factory reset. The only remedies are a firmware update from the manufacturer or manually flashing clean firmware. - As of February 2026, Kaspersky had identified approximately 13,715 users who have encountered Keenadu or its modules, with the majority located in Russia, Japan, Germany, Brazil, and the Netherlands. - The operational behavior of Keenadu shares similarities with a previously discovered Android malware called Triada, which also embedded itself in device firmware. - Interestingly, the malware appears to have avoidance logic, checking the device's language and time zone to terminate its execution if the language is a Chinese dialect and the time zone is set to China.