Firmware-Level Android Backdoor “Keenadu” Discovered, Exposing Supply Chain Compromise in Pre-Installed Devices

CyberDefender 7 mins0

In early 2026, researchers at Kaspersky’s Global Research & Analysis Team (GReAT) uncovered a sophisticated Android backdoor, Keenadu, that represents one of the most pervasive and technically advanced compromises observed in mobile devices in recent years. Unlike typical malware that infiltrates devices post-deployment, Keenadu has been found embedded directly into device firmware, giving it unparalleled persistence and system-wide control.

What Is Keenadu?

Keenadu is an Android backdoor that operates at a firmware level, deeply integrated into the system libraries that every app references when launched. This design allows it to execute malicious logic in the context of almost any installed application, breaking Android’s intended security model.

By compromising a core shared library (libandroid_runtime.so), Keenadu achieves automatic injection into all processes created on the device. Once in place, it acts as a powerful multi-stage loader and controller, capable of remotely executing arbitrary commands, exfiltrating data, and manipulating app behavior.

Infection Vector: Firmware Supply Chain Compromise

One of the most alarming aspects of Keenadu is how it gets into devices:

  • The backdoor was integrated during the firmware build process — not added after sale via an infected APK.
  • Specifically, a malicious static library was linked into libandroid_runtime.so, a central Android runtime library.
  • Because the infected firmware images were digitally signed, the compromise likely occurred well before device distribution, suggesting a supply chain breach rather than a simple OTA (over-the-air) tampering.

This means end users — and likely device vendors themselves — may have no visibility into how or when Keenadu was introduced into system code.

How Keenadu Works

Hooking libandroid_runtime.so

Android’s libandroid_runtime.so is part of the system layer used by all apps to interface with low-level functionality, including logging and native calls. Keenadu injects malicious logic here such that:

  • A hidden payload is decrypted and saved into the Dalvik cache, ensuring it persists across reboots.
  • When Android’s Zygote process (the parent of all Android apps) forks processes, the Keenadu code is loaded into every new app without user interaction.

This gives the backdoor two critical advantages: automatic process injection and access to internal app execution context.

Capabilities and Modules

Once active, Keenadu can download additional modules from attacker-controlled servers. These payloads expand its functions, which researchers observed to include:

  • Control modules that can grant or revoke Android permissions for arbitrary apps.
  • Browser hijacking components that intercept and redirect search queries.
  • Install monetization modules that silently install new apps, potentially for fraud or ad revenue generation.
  • Stealthy ad interaction components that simulate user interaction with ad content to generate revenue.

Because Keenadu operates under the context of system-trusted processes, it effectively bypasses the Android app sandbox and permission model — once only the core of truly system-level compromises.

Comparisons to Other Firmware Threats

Keenadu’s architecture and infection model are conceptually similar to previously observed threats like the Triada backdoor, which also targeted firmware to compromise devices. However, Keenadu distinguishes itself by:

  • Being found in multiple device models and brands, not just counterfeit or budget devices.
  • Demonstrating a modular command-and-control (C2) capability, allowing tailored payloads to be delivered post-deployment.
  • Operating at a level where it can intervene in permission handling and IPC (binder) communications.

Detection and Mitigation

Because Keenadu is embedded into firmware, it cannot be removed via typical app-level malware scanning or user-initiated uninstall procedures. Analysts recommend:

  • Firmware re-flashing with a clean image — but only from a verified, trusted source.
  • Using mobile security solutions that can detect heuristics associated with Keenadu behavior.
  • Staying vigilant against unofficial firmware and third-party app repositories, especially for budget or lesser-known tablet brands.

Users should also consider applying mobile threat defense solutions that can flag anomalous behavior indicative of system-level compromise.

Conclusion

Keenadu signifies a concerning escalation in Android malware sophistication. Its firmware-level implantation, coupled with deep hooks into the Android runtime, makes it a prime example of why supply chain security matters more than ever.

As devices proliferate and manufacturers integrate third-party components into their systems, the risk of such deep compromises only grows. Keenadu should serve as a wake-up call for both industry stakeholders and end users: robust verification of firmware integrity — not just app vetting — is critical in defending modern mobile ecosystems.

CyberDefender