Keenadu Backdoor Infects Android Devices via Firmware Compromise

Keenadu Backdoor Infects Android Devices via Firmware Compromise

First seen 19 Mar 2026, 23:26 UTC News.SophosSophos 99% similarity 66.5

Article Content

Browse articles
ThreatCluster

In late February 2026, SophosLabs identified the Keenadu backdoor affecting Android devices, which is embedded in the libandroid_runtime.so library. This firmware-level malware injects itself into the Zygote process, allowing attackers total control over infected devices. Keenadu functions as a downloader for additional malware modules targeting various applications, including popular storefronts like Shein and Amazon, and ad fraud modules targeting YouTube. The malware is integrated into the firmware during the build phase, indicating a supply chain compromise rather than installation via OTA updates. As of March 4, over 500 unique compromised devices across nearly 50 models have been detected, primarily low-cost devices from manufacturers like Allview and DOOGEE. The infections span 40 countries, raising concerns for organizations allowing personal device access to corporate resources. The malware's persistence is facilitated by trojanized system-level APK files, which are not blocked by standard security measures.

Key Points: • Keenadu backdoor infects Android devices via firmware-level compromise. • Over 500 unique devices affected globally, primarily low-cost models. • Malware targets popular apps for ad fraud and data exfiltration.

ThreatCluster AI

Timeline

2026-02-28
Keenadu backdoor identified by SophosLabs.
2026-03-04
Over 500 unique compromised devices detected.
2026-03-19
Articles published detailing the Keenadu threat.

Community

Browse all →