Kaspersky reported in a technical analysis that it discovered Keenadu, a firmware backdoor embedded in Android tablets during the firmware build process. The backdoor was found in Alldocube iPlay 50 mini Pro firmware dated August 18, 2023 and telemetry shows 13,715 users encountered Keenadu or its modules worldwide.
KEY FACTS
- Incident Backdoor embedded in libandroid_runtime.so in tablet firmware
- Affected devices Alldocube iPlay 50 mini Pro and other vendor firmware not publicly named
- Delivery Embedded during firmware build and delivered via OTA updates and preinstalled apps
- Scale Telemetry shows 13,715 users encountered the malware or its modules
Keenadu is loaded at boot from the core runtime library and injects into the Zygote process so it can run in the context of every app. It creates an AKServer instance in system_server when possible and an AKClient instance in ordinary app processes to act as a command bridge.
The platform delivers modular payloads. Identified modules include a Keenadu loader that targets storefront apps, a clicker loader for ad interactions, a Google Chrome module that can hijack searches, a Nova clicker using machine learning and WebRTC, an install monetization module, and a Google Play module that stores advertising IDs.
Distribution vectors include firmware compromises made during the build phase, OTA updates, integration into system apps such as facial recognition and the system launcher, and trojanized camera apps on Google Play. The named developer for the removed Play apps is Hangzhou Denghong Technology Co., Ltd.
The backdoor implements multiple evasion checks and a delayed payload fetch that prevents servers from serving modules until about 2.5 months after initial check-in. It can grant or revoke app permissions, collect device metadata, and exfiltrate information, which undermines Android app sandboxing when active.
WHY IT MATTERS
A backdoor embedded in a core runtime library can give operators unrestricted access to affected tablets and negate app sandbox protections. The firmware insertion method and the number of encounters raise supply chain and preinstallation security concerns.