TL;DR
- Researchers found a firmware-level Android backdoor called Keenadu preinstalled on certain tablets before sale.
- The malware injects into Android’s Zygote process, giving attackers broad control over apps and data on the tablets.
- The issue appears limited to lesser-known tablet brands, but affected users should install updates immediately.
Worrying as it may be, at least most Android malware spreads through shady apps or dodgy downloads, giving you a semblance of autonomy over whether you get infected by it or not. But security researchers say they’ve found something more unsettling: a backdoor built directly into the firmware of certain Android tablets before they even reached users.
According to a report highlighted by Help Net Security, Kaspersky researchers uncovered a new Android backdoor named Keenadu, embedded in the firmware of tablets from multiple manufacturers. Rather than infecting devices after purchase, the malware appears to have been baked into the software of the tablets from the start during the firmware build process.
Don’t want to miss the best from Android Authority?
Once active, the backdoor injects itself into Android’s Zygote process, which is a core system process that launches every app on your device. That gives whoever is controlling it sweeping visibility and control across the system. Researchers say Keenadu can download additional modules capable of redirecting browser searches, tracking app installs for profit, and interacting with advertising elements. Operating at this level gives it far more reach than a typical malicious app.
One confirmed example involves firmware images for the Alldocube iPlay 50 mini Pro tablet. Researchers said every version they examined contained the backdoor, including releases issued after the vendor had acknowledged malware reports. The firmware files carried valid digital signatures, suggesting the issue wasn’t caused by someone tampering with updates after the fact. Instead, the evidence points to a supply-chain compromise, meaning malicious code was likely introduced at some point during the software development or build process.
Kaspersky says 13,715 users worldwide have encountered Keenadu or its modules, with the highest numbers recorded in Russia, Japan, Germany, Brazil, and the Netherlands. The company also linked the threat to other known Android botnet families, including Triada, BadBox, and Vo1d.
Scary as it sounds, this doesn’t appear to be an issue affecting major flagship Android brands. The confirmed example centers on a lesser-known tablet manufacturer, and most affected vendors have not been publicly named. If you own a budget Android tablet — especially from a smaller or unfamiliar brand — it’s worth checking for software updates and installing them as soon as they become available. Researchers say vendors have been notified and are likely working on clean firmware updates.
Thank you for being part of our community. Read our Comment Policy before posting.
By
