KASPERSKY has uncovered Keenadu, a new Android backdoor that can be preinstalled in device firmware, hidden inside system apps, or spread via Google Play, and is used for ad fraud while capable of full remote control. The backdoor embeds itself during the build process, injects into the Zygote process, and loads a copy of itself into the address space of every app on launch, acting as a multi‑stage loader.
It uses a client‑server setup called AKClient and AKServer and can deliver extra malicious modules from its C2 server, with some functions taking control weeks after activation to avoid detection. Keenadu was found in firmware for Alldocube tablets, with a rogue static library linked to libandroid_runtime.so and signs of a supply chain compromise that likely occurred before devices reached the market.
As of February 2026, more than 13,000 Android devices were detected infected, with victims primarily in Russia, Japan, Germany, Brazil and the Netherlands, and researchers note the backdoor and its modules have also appeared in system apps and even in apps from Google Play. According to Kaspersky, the campaign fitted into a broader ecosystem of affiliates and linked to other botnets such as Triada, BADBOX and Vo1d.