Keenadu Android Backdoor Infects Firmware, Spreads via Google Play for Remote Control Access

A sophisticated new Android backdoor that infects device firmware at the build stage and spreads through Google Play apps, enabling attackers to seize remote control over victims’ tablets and phones.

Published on February 16, 2026, their detailed analysis reveals how this threat mirrors the Triada Trojan by hooking into the Zygote process, compromising every launched app.

In April 2025, Kaspersky reported on Triada’s firmware compromise in counterfeit Android devices, where it exfiltrated credentials via Zygote infection. This led to deeper scrutiny, unearthing Keenadu in firmware from brands like Alldocube.

The backdoor embeds a malicious static library, libVndxUtils.a (MD5: ca98ae7ab25ce144927a46b7fee6bd21), into libandroid_runtime.so during firmware compilation.

Once deployed, often via OTA updates, it decrypts payloads using RC4, loads them via DexClassLoader into /data/dalvik-cache/, and establishes a client-server architecture with AKClient in apps and AKServer in system_server.

Infection Mechanics and Payloads

Keenadu’s dropper in libandroid_runtime.so alters the println_native method to invoke __log_check_tag_count, decrypting and executing com.ak.test.Main. It evades Google/Sprint/T-Mobile apps and kill switches, then uses binder IPC for inter-process control.

AKServer broadcasts interfaces for permission grants/revokes, geolocation, and data exfiltration, while MainWorker queries C2 servers like those decrypted from AES-128 (keys from MD5 of “ota.host.ba60d29da7fd4794b5c5f732916f7d5c”).​

Intercepted payloads target browsers (Chrome search hijacking via url_bar monitoring), launchers (install monetization via session tracking), and shopping apps (Amazon, SHEIN, Temu loaders for APKs), according to the Kaspersky report.

Modules like Nova/Phantom clicker use ML/WebRTC for ad fraud; others embed in facial recognition (com.aiworks.faceidservice, MD5: d840a70f2610b78493c41b1a344b6893) or launchers. Payloads employ DSA signatures, MD5 checks, and AES decryption before execution.

Supply chain compromise is evident: signed Alldocube firmwares (e.g., iPlay 50 mini Pro T811M from Aug 2023) include the backdoor, with source paths like D:workgitzhosak-client revealing developer artifacts. Kaspersky telemetry shows infections beyond Alldocube tablets.

Standalone apps on Google Play (e.g., smart camera software, 300k+ downloads) and Xiaomi GetApps embed modules like Nova clicker via services such as com.arcsoft.closeli.service.KucopdInitService. Google removed these after notification.

Indicators and Connections

Kaspersky detects variants as HEUR:Backdoor.AndroidOS.Keenadu., Trojan-Downloader.AndroidOS.Keenadu., and Trojan-Dropper.AndroidOS.Gegu.*.

Type	Indicator	Description
MD5	ca98ae7ab25ce144927a46b7fee6bd21	libVndxUtils.a malicious lib
MD5	4c4ca7a2a25dbe15a4a39c11cfef2fb2	Keenadu loader module
MD5	912bc4f756f18049b241934f62bfb06c	Chrome hijacker
MD5	f0184f6955479d631ea1b1ea0f38a35d	Nova/Phantom clicker
IP	67.198.232.4, 67.198.232.187	C2 resolutions
Domain	keepgo123.com, gsonx.com	Early C2 domains
Path	/ak/api/pts/v4	C2 endpoint

Keenadu links to Triada, BADBOX, and Vo1d botnets via shared code, C2 overlaps (e.g., zcnewy[.]com), and payload drops. BADBOX deploys Keenadu loaders; Triada shares credential stealers.

Over 13,715 victims worldwide, peaking in Russia, Japan, Germany, Brazil. For remediation: update firmware if clean versions exist; disable infected system apps via ADB (e.g., pm disable com.aiworks.faceidservice); uninstall sideloaded apps; avoid use until patched.

This threat underscores firmware supply chain risks, demanding vendor audits and verified boots.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Keenadu Android Backdoor Infects Firmware, Spreads via Google Play for Remote Control Access appeared first on Cyber Security News.