KEENADU is described as a backdoor embedded deep in device firmware that silently harvests data and can remotely control infected devices, discovered by Kaspersky. The backdoor is found in the firmware of devices from various brands, including Alldocube, with the compromise occurring during the firmware build phase and the firmware files carrying valid digital signatures; Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to 18 August 2023.
In several cases, the compromised firmware was delivered via an OTA update, and Keenadu operates through a multi‑stage loader with an AKServer component for core logic and a separate AKClient injected into every launched app. Telemetry estimates about 13,715 users worldwide have encountered Keenadu, with attacks concentrated in Russia, Japan, Germany, Brazil and the Netherlands, and the backdoor is known to bypass Android sandboxing by integrating into libandroid_runtime.so.
The researcher notes that Keenadu can hijack browser search engines, monetise app installations and interact covertly with advertising elements, and has also been found in trojanised apps on Google Play, with distribution vectors including embedding the loader in system apps and firmware.
Found apps tied to the campaign include Eoolii, Ziicam and Eyeplus, published by Hangzhou Denghong Technology Co., Ltd., though the developer has since listing the same set of apps on the Apple App Store; the researchers caution Keenadu is primarily designed to target Android tablets.