KEENADU is described by Securelist as a firmware-embedded Android backdoor that mirrors Triada’s behaviour by hijacking the system partition and injecting itself into Zygote to grant attackers control over devices. The backdoor loads itself through a malicious libandroid_runtime.so, creating a client-server architecture with AKClient and AKServer components that communicate via binder to load arbitrary DEX payloads.
The researchers highlight a multi-stage loader that can exfiltrate device data, hijack browser search engines, monetise app installs, and deploy additional payloads including modules embedded in system apps and even Google Play storefronts. They note links between Keenadu and other botnets, including Triada, BADBOX and Vo1d, with evidence such as shared C2 structures and overlapping payloads, though they caution against assuming direct transitivity without further proof.
In Alldocube firmware, Keenadu was found in Libandroid_runtime.so across multiple revisions, with C2 addresses resolved to keepgo123[.]com and gsonx[.]com, and a variant tied to the Netflix-enabled iPlay 50 mini Pro firmware dated November 7, 2023 and May 20, 2024. The report records at least 13,715 victims globally, with the highest impact in Russia, Japan, Germany, Brazil and the Netherlands, and notes that the backdoor was delivered via firmware builds, system apps, and even via Google Play installations.
According to Securelist, Keenadu represents a large-scale, complex malware platform that could extend beyond ad fraud to credential theft, and is indicative of supply-chain compromise through firmware build-time integration.