Kaspersky researchers have identified a new Android firmware-level backdoor dubbed Keenadu, which mimics the behavior of the Triada trojan by embedding itself into system libraries. The malware is integrated into the libandroid_runtime.so library during the firmware build phase, allowing it to hook into the Zygote process and infect every application launched on the device. This supply chain attack primarily targets Android tablets, providing attackers with unrestricted control over the hardware, bypassing standard app sandboxing and permission systems.
Keenadu employs a sophisticated client-server architecture to deploy various malicious modules, including search engine hijackers, ad-clickers, and spyware. The investigation revealed that Keenadu is part of a larger interconnected ecosystem of mobile threats, sharing code and infrastructure with other prolific botnets such as BADBOX, Triada, and Vo1d. Due to its persistence in the system partition, removing the infection typically requires a clean firmware update or specialized technical intervention.
Top comments (0)