Keenadu Android backdoor deeply embedded in device firmware

According to The Hacker News, a sophisticated Android backdoor named Keenadu has been discovered deeply embedded within device firmware, allowing for silent data harvesting and remote device control. This threat was identified by Kaspersky, which found the malware present in the firmware build phase of devices from various brands, including Alldocube.

Keenadu is embedded in critical system libraries, specifically libandroid_runtime.so, and injects itself into the Zygote process, granting it broad access. The malware operates with a client-server architecture, enabling remote execution of malicious payloads. These payloads have been observed hijacking browser search engines, monetizing app installs, and interacting with ad elements. Telemetry data indicates that over 13,715 users globally have encountered Keenadu, with Russia, Japan, Germany, Brazil, and the Netherlands being the most affected regions. Distribution vectors include compromised OTA updates and trojanized apps, even those found on Google Play.

The deep integration of Keenadu into Android firmware bypasses standard app sandboxing and permission controls, presenting a significant security risk. Its ability to operate within every app's context provides attackers with unfettered access. While current activities focus on ad fraud, the potential for credential theft, similar to other sophisticated Android malware, remains a serious concern, highlighting the need for enhanced firmware security and supply chain vigilance.

Source: The Hacker News