Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign
Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign
Publish Date: 2026-02-18 04:11:00
Source Domain: securityaffairs.com
Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign
Pierluigi Paganini
February 18, 2026
Kaspersky uncovered Keenadu, an Android backdoor used for ad fraud that can even take full control of devices.
Kaspersky has identified a new Android malware called Keenadu. It can be preinstalled in device firmware, hidden inside system apps, or even distributed via official stores like Google Play. Currently used for ad fraud by turning infected phones into click bots, some variants also allow attackers to gain full remote control of compromised devices.
After uncovering the Triada backdoor in counterfeit Android firmware, researchers found another firmware-level threat called Keenadu. Like Triada, Keenadu embeds itself into the system during the build process, injects into the Zygote process, and infects every app launched on the device. It acts as a multi-stage loader, enabling full remote control, ad fraud, credential theft, and malicious payload delivery.
The researchers reported that some infected firmware was even pushed via OTA updates and built into core system apps. Investigators also linked Keenadu to major Android botnets, including Triada, BADBOX, and Vo1d.
Researchers found that Keenadu was embedded inside Android’s core library, libandroid_runtime.so, acting as a hidden dropper. A modified logging function decrypted an RC4-encrypted payload and loaded it into every app via the Zygote process. The malicious code uses a client-server setup called AKClient and AKServer.
“We discovered a new backdoor, which we dubbed Keenadu, in the firmware of devices belonging to several brands. The infection occurred during the firmware build phase, where a malicious static library was linked with libandroid_runtime.so. Once active on the device, the malware injected itself into the Zygote process, similarly to Triada. In several instances, the compromised…
