A sophisticated new Android backdoor that infects device firmware at the build stage and spreads through Google Play apps, enabling attackers to seize remote control over victims’ tablets and phones.
Published on February 16, 2026, their detailed analysis reveals how this threat mirrors the Triada Trojan by hooking into the Zygote process, compromising every launched app.
In April 2025, Kaspersky reported on Triada’s firmware compromise in counterfeit Android devices, where it exfiltrated credentials via Zygote infection. This led to deeper scrutiny, unearthing Keenadu in firmware from brands like Alldocube.
The backdoor embeds a malicious static library, libVndxUtils.a (MD5: ca98ae7ab25ce144927a46b7fee6bd21), into libandroid_runtime.so during firmware compilation.
Once deployed, often via OTA updates, it decrypts payloads using RC4, loads them via DexClassLoader into /data/dalvik-cache/, and establishes a client-server architecture with AKClient in apps and AKServer in system_server.
Infection Mechanics and Payloads
Keenadu’s dropper in libandroid_runtime.so alters the println_native method to invoke __log_check_tag_count, decrypting and executing com.ak.test.Main. It evades Google/Sprint/T-Mobile apps and kill switches, then uses binder IPC for inter-process control.
AKServer broadcasts interfaces for permission grants/revokes, geolocation, and data exfiltration, while MainWorker queries C2 servers like those decrypted from AES-128 (keys from MD5 of “ota.host.ba60d29da7fd4794b5c5f732916f7d5c”).
Intercepted payloads target browsers (Chrome search hijacking via url_bar monitoring), launchers (install monetization via session tracking), and shopping apps (Amazon, SHEIN, Temu loaders for APKs), according to the Kaspersky report.
Modules like Nova/Phantom clicker use ML/WebRTC for ad fraud; others embed in facial recognition (com.aiworks.faceidservice, MD5: d840a70f2610b78493c41b1a344b6893) or launchers. Payloads employ DSA signatures, MD5 checks, and AES decryption before execution.
Supply chain compromise is evident: signed Alldocube firmwares (e.g., iPlay 50 mini Pro T811M from Aug 2023) include the backdoor, with source paths like D:workgitzhosak-client revealing developer artifacts. Kaspersky telemetry shows infections beyond Alldocube tablets.
Standalone apps on Google Play (e.g., smart camera software, 300k+ downloads) and Xiaomi GetApps embed modules like Nova clicker via services such as com.arcsoft.closeli.service.KucopdInitService. Google removed these after notification.
Indicators and Connections
Kaspersky detects variants as HEUR:Backdoor.AndroidOS.Keenadu., Trojan-Downloader.AndroidOS.Keenadu., and Trojan-Dropper.AndroidOS.Gegu.*.
| Type | Indicator | Description |
|---|---|---|
| MD5 | ca98ae7ab25ce144927a46b7fee6bd21 | libVndxUtils.a malicious lib |
| MD5 | 4c4ca7a2a25dbe15a4a39c11cfef2fb2 | Keenadu loader module |
| MD5 | 912bc4f756f18049b241934f62bfb06c | Chrome hijacker |
| MD5 | f0184f6955479d631ea1b1ea0f38a35d | Nova/Phantom clicker |
| IP | 67.198.232.4, 67.198.232.187 | C2 resolutions |
| Domain | keepgo123.com, gsonx.com | Early C2 domains |
| Path | /ak/api/pts/v4 | C2 endpoint |
Keenadu links to Triada, BADBOX, and Vo1d botnets via shared code, C2 overlaps (e.g., zcnewy[.]com), and payload drops. BADBOX deploys Keenadu loaders; Triada shares credential stealers.
Over 13,715 victims worldwide, peaking in Russia, Japan, Germany, Brazil. For remediation: update firmware if clean versions exist; disable infected system apps via ADB (e.g., pm disable com.aiworks.faceidservice); uninstall sideloaded apps; avoid use until patched.
This threat underscores firmware supply chain risks, demanding vendor audits and verified boots.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
