{"id":214781,"date":"2026-02-18T04:11:00","date_gmt":"2026-02-18T09:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/18\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign\/"},"modified":"2026-02-18T04:30:09","modified_gmt":"2026-02-18T09:30:09","slug":"keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/18\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign\/","title":{"rendered":"Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign"},"content":{"rendered":"<p><a href=\"https:\/\/securityaffairs.com\/188147\/malware\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign.html\">Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign<\/a><\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/188147\/malware\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign.html\">https:\/\/securityaffairs.com\/188147\/malware\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-18 04:11:00<\/a><\/p>\n<p>Source Domain: <a href=\"securityaffairs.com\">securityaffairs.com<\/a><\/p>\n<p><h2>Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign<\/h2>\n<\/p>\n<p>\t\t\t\t\t\t\t<span> Pierluigi Paganini<\/span><br \/>\n\t\t\t\t\t\t\t<span><img decoding=\"async\" src=\"https:\/\/securityaffairs.com\/wp-content\/themes\/security_affairs\/images\/clock-icon.svg\" alt=\"\"\/> February 18, 2026<\/span><\/p>\n<p>\t\t\t\t\t\t<img decoding=\"async\" class=\"img-fluid mb-4\" src=\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2026\/02\/image-42.png?fit=1171%2C1536&#038;ssl=1\" alt=\"\"\/><\/p>\n<h2 class=\"wp-block-heading\">Kaspersky uncovered Keenadu, an Android backdoor used for ad fraud that can even take full control of devices.<\/h2>\n<p>Kaspersky has identified a new Android malware called Keenadu. It can be preinstalled in device firmware, hidden inside system apps, or even distributed via official stores like Google Play. Currently used for ad fraud by turning infected phones into click bots, some variants also allow attackers to gain full remote control of compromised devices.<\/p>\n<p>After uncovering the Triada backdoor in counterfeit Android firmware, researchers found another firmware-level threat called Keenadu. Like Triada, Keenadu embeds itself into the system during the build process, injects into the Zygote process, and infects every app launched on the device. It acts as a multi-stage loader, enabling full remote control, ad fraud, credential theft, and malicious payload delivery. <\/p>\n<p>The researchers reported that some infected firmware was even pushed via OTA updates and built into core system apps. Investigators also linked Keenadu to major Android botnets, including Triada, BADBOX, and Vo1d.<\/p>\n<p>Researchers found that Keenadu was embedded inside Android\u2019s core library, libandroid_runtime.so, acting as a hidden dropper. A modified logging function decrypted an RC4-encrypted payload and loaded it into every app via the Zygote process. The malicious code uses a client-server setup called AKClient and AKServer.<\/p>\n<p>\u201cWe discovered a new backdoor, which we dubbed Keenadu, in the firmware of devices belonging to several brands. The infection occurred during the firmware build phase, where a malicious static library was linked with\u00a0libandroid_runtime.so. Once active on the device, the malware injected itself into the\u00a0Zygote\u00a0process, similarly to Triada. In several instances, the compromised&#8230;<\/p>\n<p><a href=\"https:\/\/securityaffairs.com\/188147\/malware\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Keenadu backdoor found preinstalled on Android devices, powers Ad fraud campaign https:\/\/securityaffairs.com\/188147\/malware\/keenadu-backdoor-found-preinstalled-on-android-devices-powers-ad-fraud-campaign.html Publish Date: 2026-02-18&#8230;<\/p>\n","protected":false},"author":1,"featured_media":214782,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2026\/02\/image-43.png","fifu_image_alt":"","footnotes":""},"categories":[46],"tags":[70,32],"class_list":["post-214781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","tag-google","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214781"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=214781"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214781\/revisions"}],"predecessor-version":[{"id":214783,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/214781\/revisions\/214783"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/214782"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=214781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=214781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=214781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}