TL;DR Researchers found a firmware-level Android backdoor called Keenadu preinstalled on certain tablets before sale.
The malware injects into Android’s Zygote process, giving attackers broad control over apps and data on the tablets.
The issue appears limited to lesser-known tablet brands, but affected users should install updates immediately.
Worrying as it may be, at least most Android malware spreads through shady apps or dodgy downloads, giving you a semblance of autonomy over whether you get infected by it or not. But security researchers say they’ve found something more unsettling: a backdoor built directly into the firmware of certain Android tablets before they even reached users.
According to a report highlighted by Help Net Security, Kaspersky researchers uncovered a new Android backdoor named Keenadu, embedded in the firmware of tablets from multiple manufacturers. Rather than infecting devices after purchase, the malware appears to have been baked into the software of the tablets from the start during the firmware build process.
Don’t want to miss the best from Android Authority? Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
to never miss our latest exclusive reports, expert analysis, and much more. You can also set us as a preferred source in Google Search by clicking the button below.
Once active, the backdoor injects itself into Android’s Zygote process, which is a core system process that launches every app on your device. That gives whoever is controlling it sweeping visibility and control across the system. Researchers say Keenadu can download additional modules capable of redirecting browser searches, tracking app installs for profit, and interacting with advertising elements. Operating at this level gives it far more reach than a typical malicious app.
One confirmed example involves firmware images for the Alldocube iPlay 50 mini Pro tablet. Researchers said every version they examined contained the backdoor, including releases issued after the vendor had acknowledged malware reports. The firmware files carried valid digital signatures, suggesting the issue wasn’t caused by someone tampering with updates after the fact. Instead, the evidence points to a supply-chain compromise, meaning malicious code was likely introduced at some point during the software development or build process.
Kaspersky says 13,715 users worldwide have encountered Keenadu or its modules, with the highest numbers recorded in Russia, Japan, Germany, Brazil, and the Netherlands. The company also linked the threat to other known Android botnet families, including Triada, BadBox, and Vo1d.
... continue reading