Keenadu¶
Firmware-level backdoor discovered by Kaspersky in February 2026. Keenadu compromises libandroid_runtime.so, a core Android system library, allowing it to operate within the context of every app on the device. Pre-installed in device firmware through supply chain compromise, it is impossible to remove using standard Android tools. Shares C2 infrastructure and payload code with BADBOX and Vo1d botnets.
Overview¶
| Property | Value |
|---|---|
| First Seen | February 2026 |
| Type | Firmware-level backdoor / Supply chain compromise |
| Attribution | Unknown (linked to BADBOX and Vo1d botnet infrastructure) |
| Aliases | Connected to Triada, BADBOX, Vo1d ecosystems |
Distribution¶
Pre-installed in device firmware during the manufacturing/supply chain process. Also found in smart home camera apps on Google Play (300,000+ downloads). Primarily affects tablets from multiple manufacturers.
Capabilities¶
| Capability | Implementation |
|---|---|
| System library compromise | Modifies libandroid_runtime.so to operate within all app contexts |
| Full device control | Unlimited remote control via backdoor |
| Modular architecture | Browser search hijacking, app install monetization, stealthy ad interaction |
| Self-protection | Cannot be removed using standard Android OS tools |
| App infection | Can infect every installed app on the device |
| Permission escalation | Grants itself any available permissions |
| APK installation | Installs arbitrary APKs |
Target Regions¶
| Country | Confirmed Infections |
|---|---|
| Russia | Primary |
| Japan | Significant |
| Germany | Significant |
| Brazil | Significant |
| Netherlands | Significant |
| Total | 13,715+ |
Significance¶
Keenadu demonstrates the continued threat of supply chain compromise in the Android ecosystem, connecting to the broader problem documented with Triada (found pre-installed in firmware since 2016) and BADBOX/Vo1d botnets. The deep firmware integration makes traditional mobile security tools ineffective for detection and removal.