Sophos
Keenadu Backdoor Infects Android Devices via Firmware Compromise
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In late February 2026, SophosLabs identified the Keenadu backdoor affecting Android devices, which is embedded in the libandroid_runtime.so library. This firmware-level malware injects itself into the Zygote process, allowing attackers total control over infected devices. Keenadu functions as a downloader for additional malware modules targeting various applications, including popular storefronts like Shein and Amazon, and ad fraud modules targeting YouTube. The malware is integrated into the firmware during the build phase, indicating a supply chain compromise rather than installation via OTA updates. As of March 4, over 500 unique compromised devices across nearly 50 models have been detected, primarily low-cost devices from manufacturers like Allview and DOOGEE. The infections span 40 countries, raising concerns for organizations allowing personal device access to corporate resources. The malware's persistence is facilitated by trojanized system-level APK files, which are not blocked by standard security measures.
Key Points: • Keenadu backdoor infects Android devices via firmware-level compromise. • Over 500 unique devices affected globally, primarily low-cost models. • Malware targets popular apps for ad fraud and data exfiltration.