Android tablet firmware embedded Keenadu
Kaspersky found Keenadu embedded in signed Android tablet firmware, including Alldocube images, after a malicious library entered the firmware build chain.
Story
Keenadu is a firmware-level Android backdoor. Kaspersky traced one public example through Alldocube tablet firmware images, including iPlay 50 mini Pro releases, and found validly signed images containing the malicious changes.
The insertion point was libandroid_runtime.so, a core Android framework library. A malicious static library, libVndxUtils.a, was linked during the build and added code that loaded Keenadu inside Zygote, the parent process for Android applications.
That placement broke the normal app boundary. Keenadu could run in the context of installed apps, collect device metadata, install additional APKs, inject modules into apps such as Chrome and YouTube, hijack search traffic, and simulate ad clicks or app installs.
Kaspersky concluded that a stage of the firmware supply chain was compromised, not merely an OTA download server. The signed images and build artifacts point to malicious code entering before firmware release, so affected tablets could arrive already compromised.
Affected Artifacts
- Observed
- 2023-08-18 to 2026-02-17
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- md5:ca98ae7ab25ce144927a46b7fee6bd21
- Evidence
- distribution: alldocube.com/en/firmware, mirror: securelist.com/keenadu-android-backdoor/118913, malware: HEUR:Backdoor.AndroidOS.Keenadu, file: libandroid_runtime.so , +4 more
- Kaspersky identified Alldocube as one investigated example and said telemetry also showed infected tablet firmware from other manufacturers.
- Kaspersky reported more than 13,000 infected endpoints, with firmware-level Keenadu mostly used for ad fraud but capable of broader device control.
Incident Context
- Motive
- Ad Fraud Data Theft
- Cause
- Firmware Supply Chain Compromise
- Transitive
- No
- User Impact
- 13000
External References
Source record: proprietary/keenadu/meta.yaml