Keenadu

Somewhere along the supply chain — whether at the factory, through a middleman, or at a distributor — a backdoor gets injected into the firmware image.

“Android backdoor embedded directly in device firmware… inserted during the firmware build process, not after devices reached users.”

"...embedded in system apps, modified apps from unofficial sources, and even through apps on Google Play."

"Once deployed, often via OTA updates..."; "signed Alldocube firmwares... include the backdoor"

The pre-installed Triada.ag backdoor rose to the top spot; it is similar to the older Triada.z version we documented previously. Other pre-installed Triada variants (Triada.z, Triada.ae, Triada.ab, and Triada.ad) also made the rankings. Furthermore, we observed increasing activity from the Keenadu.a backdoor

“In several instances, the compromised firmware was delivered with an OTA update.”

In early 2026, we discovered several apps on Google Play and the App Store that contained a new version of the SparkCat crypto stealer.

“Keenadu was integrated directly into critical system utilities, including the facial recognition service, the launcher app… loader was found within various system apps in the firmware…”

“Some variants relied on a native library to load modules and silently install APKs… a loader… can install hidden APKs.”

“Keenadu was embedded inside Android’s core library, libandroid_runtime.so, acting as a hidden dropper.”

“three receivers are registered… monitor screen on/off… start of charging… availability of network access… calls… to initialize the malicious loader”

“Once active on the device, the malware injected itself into the Zygote process… A copy of the backdoor is loaded into the address space of every app upon launch.”

"The Keenadu variant embedded in system apps is more limited in functionality. However, its elevated privileges allow it to install any app without alerting the user."

“Some variants relied on a native library to load modules and silently install APKs… a loader… can install hidden APKs.”

“Keenadu was embedded inside Android’s core library, libandroid_runtime.so, acting as a hidden dropper.”

“three receivers are registered… monitor screen on/off… start of charging… availability of network access… calls… to initialize the malicious loader”

“decrypted data… using RC4… payload… loaded via DexClassLoader… C2 server addresses… Base64… gzip… AES-128… Another backdoor… single-byte XOR and executes it…”

Keenadu masquerades as legitimate system components, embedding itself even into facial-recognition unlock apps, potentially granting attackers access to biometrics, banking data, and personal messages.

“Once active on the device, the malware injected itself into the Zygote process… A copy of the backdoor is loaded into the address space of every app upon launch.”

“Upon initialization, it runs an environment check for virtual machine artifacts. If none are detected…”

“To avoid detection, the server waits about 2.5 months after activation before delivering payloads.”

“Keenadu was integrated directly into critical system utilities, including the facial recognition service, the launcher app… loader was found within various system apps in the firmware…”

“The malware also avoids infecting devices set to the Chinese language or devices that do not have Google services installed.”

"loads them via DexClassLoader into /data/dalvik-cache/"

"The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode."

“collects victim device metadata, such as the model, IMEI, MAC address, and OS version…”

“Upon initialization, it runs an environment check for virtual machine artifacts. If none are detected…”

“To avoid detection, the server waits about 2.5 months after activation before delivering payloads.”

“In several instances, the compromised firmware was delivered with an OTA update.”

"The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode."

"When opened, the apps launched invisible web browser tabs within the host app, which navigated to websites in the background."

"establishes a client-server architecture"; "queries C2 servers"; "Domain keepgo123.com, gsonx.com"; "Path /ak/api/pts/v4"

“encrypted data is sent to the C2 server via a POST request to the path /ak/api/pts/v4… /ota/api/tasks/v3… response… encrypted JSON object…”

TOP 20 мобильных вредоносных программ ... Trojan-Downloader.AndroidOS.Keenadu.l

“The malicious code uses a client-server setup called AKClient and AKServer… connect to encrypted command-and-control servers.”