A new Android backdoor called Keenadu was shipped inside tablet firmware before devices ever reached consumers' hands — and it's already claimed over 13,700 victims across Russia, Japan, Germany, Brazil, and the Netherlands.
Kaspersky's Global Research and Analysis Team published findings Monday revealing that Keenadu was embedded into Android devices during the firmware build phase — not after the fact. That distinction matters enormously. Because the malware lives inside libandroid_runtime.so (a core Android system library that every app on the device touches at launch), it can't be uninstalled, quarantined, or removed using standard Android tools without bricking the device entirely.
Infected Before It Shipped
Kaspersky traced the outbreak to Alldocube tablets — including the iPlay 50 mini Pro — where compromised firmware dates back to August 2023. All subsequent firmware versions for that model remained infected, including updates released after Alldocube publicly acknowledged a "virus attack through OTA software" in March 2024. Critically, the company never disclosed which malware was involved or how deep the compromise ran.
The researchers found a malicious static library — libVndxUtils.a — disguised as a legitimate MediaTek component and traced it back to a developer's Windows machine via leftover build paths (D:\work\git\zh\os\ak-client\). The firmware images all carried valid digital signatures, meaning an attacker gained access to private signing keys — a strong indicator that the compromise happened at a software supply chain level, not through a post-market hack.
"One stage of the firmware supply chain was compromised, leading to the inclusion of a malicious dependency within the source code," Kaspersky noted. "Consequently, the vendors may have been unaware that their devices were infected prior to reaching the market."
What Keenadu Actually Does
Once a device boots, Keenadu injects itself into Zygote — Android's master process that spawns every single app — giving it access to everything running on the device. The malware operates as a hidden client-server system: a component called AKServer runs with maximum privileges inside system_server, while AKClient is silently loaded into every app at launch.
Attackers can remotely grant or revoke any app permission, retrieve the device's location, and push down modular payloads tailored to specific apps. Intercepted payloads include a Google Chrome hijacker that redirects search queries and exfiltrates what you type in the address bar, an ad-click fraud module targeting Wallpaper, YouTube, and Facebook, and an install monetisation module that silently fakes ad-driven app installs on your behalf.
Users of infected Alldocube tablets have reported their Amazon shopping carts mysteriously filling with items — and strange, random sounds playing at full volume with no identifiable source.
"Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim's device," Kaspersky told BleepingComputer. "It can infect every app installed on the device, install any apps from APK files, and give them any available permissions."
The Bigger Threat: A Botnet Alliance
Perhaps the most alarming part of the report is what it reveals about the Android threat ecosystem. Kaspersky found that Keenadu shares code similarities with BADBOX — a well-documented malware platform — and confirmed that BADBOX was actively deploying Keenadu loaders onto compromised devices. They also uncovered a 2022 WhatsApp modification that turned out to contain both Triada and BADBOX running from the same entry point, suggesting coordinated joint operations between separate criminal groups.
The web of connections is now confirmed: Triada ↔ BADBOX ↔ Vo1d ↔ Keenadu. Four of Android's most prolific botnets, each separately dangerous, appear to be sharing infrastructure, code, and victims.
The malware reached Google Play too — smart camera apps collectively downloaded over 300,000 times were found to contain Keenadu's Nova clicker module. Google removed them after being notified.
What You Should Do
If you own an Android tablet — particularly a budget model — Kaspersky's advice is blunt:
- Check for firmware updates immediately. A clean version may already be available.
- Run a reputable mobile security scanner to verify if any update resolved the issue.
- If no clean firmware exists, the only real fix is manually reflashing the device — a process that carries its own risk of bricking.
- Until the device is confirmed clean, stop using it for anything sensitive.
- If Keenadu was found in a system app (like the facial recognition service or launcher), disable it via ADB:
adb shell pm disable --user 0 [package name]and find an alternative.
For devices where libandroid_runtime.so is infected, there is no software-only fix. The threat is, by design, deeper than Android's security model can reach from the outside.