New Android Firmware Backdoor “Keenadu” Deeply Infects Tablets Worldwide
Cybersecurity researchers have uncovered a sophisticated new Android malware strain called Keenadu that is deeply embedded in the firmware of various Android tablets and can give attackers extensive control over infected devices. Unlike typical threats that arrive through malicious apps, Keenadu is implanted into the operating system during the firmware build process, meaning it can be present on a device before a user even unboxes it. This stealthy integration allows the malware to run inside a core system library and inject itself into every launched app, effectively bypassing Android’s built-in app isolation protections and giving attackers unfettered access to device behavior.
Once active, Keenadu operates through a client-server structure, with components loaded into system processes and apps that can communicate with a remote command-and-control server. The backdoor has been observed delivering various malicious payloads that hijack browser search engines, covertly monetize new app installations, interact with ads, and manipulate user interactions within popular apps. Some variants have even been distributed through signed over-the-air updates and trojanized apps that were available on official app platforms before removal.
Telemetry from security vendors indicates that more than 13,000 Android devices across multiple countries — including Russia, Japan, Germany, Brazil, and the Netherlands — have been infected with Keenadu or its modules, with the highest prevalence on lower-cost tablets from lesser-known manufacturers. Because the malware lives in firmware, it cannot be removed using standard device reset or uninstall tools without replacing the firmware entirely. Analysts also note that variants of Keenadu are closely linked with other major Android malware families, hinting at an interconnected ecosystem of persistent threats.
The discovery of Keenadu highlights a growing risk in mobile device supply chains, where malicious code can be introduced before devices reach consumers and evade detection by traditional security tools. Users and organizations are being urged to verify firmware integrity, monitor for unusual device behavior, and prefer devices with strong supply-chain security practices to mitigate the threat.
