Keenadu the tablet conqueror and the links between major Android botnets

Staff Editor 2026-02-17
Keenadu the tablet conqueror and the links between major Android botnets

Keenadu the tablet conqueror and the links between major Android botnets

https://securelist.com/keenadu-android-backdoor/118913/

Publish Date: 2026-02-17 04:00:00

Source Domain: securelist.com

In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote – the parent process for all Android apps – to infect any app on the device. This allowed the Trojan to exfiltrate credentials from messaging apps and social media platforms, among other things.

This discovery prompted us to dive deeper, looking for other Android firmware-level threats. Our investigation uncovered a new backdoor, dubbed Keenadu, which mirrored Triada’s behavior by embedding itself into the firmware to compromise every app launched on the device. Keenadu proved to have a significant footprint; following its initial detection, we saw a surge in support requests from our users seeking further information about the threat. This report aims to address most of the questions and provide details on this new threat.

Our findings can be summarized as follows:

  • We discovered a new backdoor, which we dubbed Keenadu, in the firmware of devices belonging to several brands. The infection occurred during the firmware build phase, where a malicious static library was linked with libandroid_runtime.so. Once active on the device, the malware injected itself into the Zygote process, similarly to Triada. In several instances, the compromised firmware was delivered with an OTA update.
  • A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim’s device remotely.
  • We successfully intercepted the payloads retrieved by Keenadu. Depending on the targeted app, these modules hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements.
  • One specific payload identified during our research was also found embedded in numerous standalone apps…

Source

More Stories

Android 17 Beta: List of phones eligible for Google’s new mobile OS

Android 17 Beta: List of phones eligible for Google’s new mobile OS

Staff Editor 2026-06-06
There are four “underrated” Gemini commands in Android Auto that change how you drive, from finding nearby places to controlling music and building lists, and the twist is that hands-free driving no longer depends on saying the exact magic phrase 

There are four “underrated” Gemini commands in Android Auto that change how you drive, from finding nearby places to controlling music and building lists, and the twist is that hands-free driving no longer depends on saying the exact magic phrase 

Staff Editor 2026-06-06
I tried a phone with an unusual main camera, and now every other phone feels wrong

I tried a phone with an unusual main camera, and now every other phone feels wrong

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy