KEENADU is a new malware embedded in Android device firmware from multiple vendors, injecting itself into every app on infected systems and granting attackers near-remote access. According to Kaspersky, Keenadu was integrated into the firmware as a result of a supply chain attack, with one compromised stage introducing a malicious dependency in the source code.
The malware uses Android’s Zygote master process to copy itself into every app, meaning devices can be compromised before reaching users, and some vendors may have been unaware before sale. As of February, 13,000 Android devices have been infected, with the highest numbers in Russia, Japan, Germany, Brazil and the Netherlands, and infections have occurred both on preloaded devices and via over-the-air updates.
Keenadu operates as a multistage loader delivering payloads that hijack browser searches, commit ad fraud, and track user activity across apps, including targeting shopping platforms and Google Chrome queries. Researchers have noted connections between Keenadu and the larger Android botnets BADBOX, Triada and Vo1d, suggesting some level of coordination within major mobile malware operations.