{"id":1343,"date":"2026-02-17T09:12:14","date_gmt":"2026-02-17T09:12:14","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/"},"modified":"2026-02-17T09:12:14","modified_gmt":"2026-02-17T09:12:14","slug":"divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/","title":{"rendered":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<p>In April 2025, we <a href=\"https:\/\/securelist.com\/triada-trojan-modules-analysis\/116380\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into <code>Zygote<\/code> \u2013 the parent process for all Android apps \u2013 to infect any app on the device. This allowed the Trojan to exfiltrate credentials from messaging apps and social media platforms, among other things.<\/p>\n<p>This discovery prompted us to dive deeper, looking for other Android firmware-level threats. Our investigation uncovered a new backdoor, dubbed Keenadu, which mirrored Triada\u2019s behavior by embedding itself into the firmware to compromise every app launched on the device. Keenadu proved to have a significant footprint; following its initial detection, we saw a surge in support requests from our users seeking further information about the threat. This report aims to address most of the questions and provide details on this new threat.<\/p>\n<p>Our findings can be summarized as follows:<\/p>\n<ul>\n<li>We discovered a new backdoor, which we dubbed Keenadu, in the firmware of devices belonging to several brands. The infection occurred during the firmware build phase, where a malicious static library was linked with <code>libandroid_runtime.so<\/code>. Once active on the device, the malware injected itself into the <code>Zygote<\/code> process, similarly to Triada. In several instances, the compromised firmware was delivered with an OTA update.<\/li>\n<li>A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim\u2019s device remotely.<\/li>\n<li>We successfully intercepted the payloads retrieved by Keenadu. Depending on the targeted app, these modules hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements.<\/li>\n<li>One specific payload identified during our research was also found embedded in numerous standalone apps distributed via third-party repositories, as well as official storefronts like Google Play and Xiaomi GetApps.<\/li>\n<li>In certain firmware builds, Keenadu was integrated directly into critical system utilities, including the facial recognition service, the launcher app, and others.<\/li>\n<li>Our investigation established a link between some of the most prolific Android botnets: Triada, BADBOX, Vo1d, and Keenadu.<\/li>\n<\/ul>\n<p>The complete Keenadu infection chain looks like this:<\/p>\n<div id=\"attachment_118919\" style=\"width: 1798px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" aria-describedby=\"caption-attachment-118919\" class=\"size-full wp-image-118919\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1.png\" alt=\"Full infection diagram\" width=\"1788\" height=\"2345\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1.png 1788w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-229x300.png 229w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-781x1024.png 781w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-768x1007.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-1171x1536.png 1171w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-1562x2048.png 1562w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-267x350.png 267w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-740x971.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-213x280.png 213w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13194703\/keenadu-android1-686x900.png 686w\" sizes=\"(max-width: 1788px) 100vw, 1788px\"><\/a><\/p>\n<p id=\"caption-attachment-118919\" class=\"wp-caption-text\">Full infection diagram<\/p>\n<\/div>\n<p>Kaspersky solutions detect the threats described below with the following verdicts:<\/p>\n<p>HEUR:Backdoor.AndroidOS.Keenadu.*<br \/>\nHEUR:Trojan-Downloader.AndroidOS.Keenadu.*<br \/>\nHEUR:Trojan-Clicker.AndroidOS.Keenadu.*<br \/>\nHEUR:Trojan-Spy.AndroidOS.Keenadu.*<br \/>\nHEUR:Trojan.AndroidOS.Keenadu.*<br \/>\nHEUR:Trojan-Dropper.AndroidOS.Gegu.*<\/p>\n<h2 id=\"malicious-dropper-in-libandroid_runtime-so\">Malicious dropper in libandroid_runtime.so<\/h2>\n<p>At the very beginning of the investigation, our attention was drawn to suspicious libraries located at <code>\/system\/lib\/libandroid_runtime.so<\/code> and <code>\/system\/lib64\/libandroid_runtime.so<\/code> \u2013 we will use the shorthand <code>\/system\/lib[64]\/<\/code> to denote these two directories. The library exists in the original Android source. Specifically, it defines the <code>println_native<\/code> native method for the <code>android.util.Log<\/code> class. Apps utilize this method to write to the <code>logcat<\/code> system log. In the suspicious libraries, the implementation of <code>println_native<\/code> differed from the legitimate version by the call of a single function:<\/p>\n<div id=\"attachment_118920\" style=\"width: 520px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118920\" class=\"size-full wp-image-118920\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2.png\" alt=\"Call to the suspicious function\" width=\"510\" height=\"518\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2.png 510w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2-295x300.png 295w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2-345x350.png 345w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2-276x280.png 276w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195019\/keenadu-android2-50x50.png 50w\" sizes=\"auto, (max-width: 510px) 100vw, 510px\"><\/a><\/p>\n<p id=\"caption-attachment-118920\" class=\"wp-caption-text\">Call to the suspicious function<\/p>\n<\/div>\n<p>The suspicious function decrypted data from the library body using RC4 and wrote it to <code>\/data\/dalvik-cache\/arm[64]\/system@framework@vndx_10x.jar@classes.jar<\/code>. The data represents a payload that is loaded via <code>DexClassLoader<\/code>. The entry point within it is the main method of the <code>com.ak.test.Main class<\/code>, where \u201cak\u201d likely refers to the author\u2019s internal name for the malware; this letter combination is also used in other locations throughout the code. In particular, the developers left behind a significant amount of code that writes error messages to the <code>logcat<\/code> log during the malware\u2019s execution. These messages have the <code>AK_CPP<\/code> tag.<\/p>\n<div id=\"attachment_118921\" style=\"width: 496px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118921\" class=\"size-full wp-image-118921\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3.png\" alt=\"Payload decryption\" width=\"486\" height=\"442\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3.png 486w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3-300x273.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3-385x350.png 385w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195235\/keenadu-android3-308x280.png 308w\" sizes=\"auto, (max-width: 486px) 100vw, 486px\"><\/a><\/p>\n<p id=\"caption-attachment-118921\" class=\"wp-caption-text\">Payload decryption<\/p>\n<\/div>\n<p>The payload checks whether it is running within system apps belonging either to Google services or to Sprint or T-Mobile carriers. The latter apps are typically found in specialized device versions that carriers sell at a discount, provided the buyer signs a service contract. The malware aborts its execution if it finds that it\u2019s running within these processes. It also implements a kill switch that terminates its execution if it finds files with specific names in system directories.<\/p>\n<p>Next, the Trojan checks if it is running within the <code>system_server<\/code> process. This process controls the entire system and possesses maximum privileges; it is launched by the <code>Zygote<\/code> process when it starts. If the check returns positive, the Trojan creates an instance of the <code>AKServer<\/code> class; if the code is running in any other process, it creates an instance of the <code>AKClient<\/code> class instead. It then calls the new object\u2019s virtual method, passing the app process name to it. The class names suggest that the Trojan is built upon a client-server architecture.<\/p>\n<div id=\"attachment_118922\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195425\/keenadu-android4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118922\" class=\"size-full wp-image-118922\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195425\/keenadu-android4.png\" alt=\"Launching system_server in Zygote\" width=\"624\" height=\"186\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195425\/keenadu-android4.png 624w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195425\/keenadu-android4-300x89.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/a><\/p>\n<p id=\"caption-attachment-118922\" class=\"wp-caption-text\">Launching system_server in Zygote<\/p>\n<\/div>\n<p>The <code>system_server<\/code> process creates and launches various system services with the help of the <code>SystemServiceManager<\/code> class. These services are based on a client-server architecture, and clients for them are requested within app code by calling the <code>Context.getSystemService<\/code> method. Communication with the server-side component uses the Android inter-process communication (IPC) primitive, binder. This approach offers numerous security and other benefits. These include, among other things, the ability to restrict certain apps from accessing various system services and their functionality, as well as the presence of abstractions that simplify the use of this access for developers while simultaneously protecting the system from potential vulnerabilities in apps.<\/p>\n<p>The authors of Keenadu designed it in a similar fashion. The core logic is located in the <code>AKServer<\/code> class, which operates within the <code>system_server<\/code> process. <code>AKServer<\/code> essentially represents a malicious system service, while <code>AKClient<\/code> acts as the interface for accessing <code>AKServer<\/code> via binder. For convenience, we provide a diagram of the backdoor\u2019s architecture below:<\/p>\n<div id=\"attachment_118923\" style=\"width: 1698px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118923\" class=\"size-full wp-image-118923\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5.png\" alt=\"Keenadu backdoor execution flow\" width=\"1688\" height=\"1140\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5.png 1688w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-300x203.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-1024x692.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-768x519.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-1536x1037.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-518x350.png 518w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-740x500.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-415x280.png 415w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13195722\/keenadu-android5-800x540.png 800w\" sizes=\"auto, (max-width: 1688px) 100vw, 1688px\"><\/a><\/p>\n<p id=\"caption-attachment-118923\" class=\"wp-caption-text\">Keenadu backdoor execution flow<\/p>\n<\/div>\n<p>It is important to highlight Keenadu as yet another case where we find key Android security principles being compromised. First, because the malware is embedded in <code>libandroid_runtime.so<\/code>, it operates within the context of every app on the device, thereby gaining access to all their data and rendering the system\u2019s intended app sandboxing meaningless. Second, it provides interfaces for bypassing permissions (discussed below) that are used to control app privileges within the system. Consequently, it represents a full-fledged backdoor that allows attackers to gain virtually unrestricted control over the victim\u2019s device.<\/p>\n<h3 id=\"akclient-architecture\">AKClient architecture<\/h3>\n<p><code>AKClient<\/code> is relatively straightforward in its design. It is injected into every app launched on the device and retrieves an interface instance for server communication via a protected broadcast (<code>com.action.SystemOptimizeService<\/code>). Using binder, this interface sends an <code>attach<\/code> transaction to the malicious AKServer, passing an IPC wrapper that facilitates the loading of arbitrary DEX files within the context of the compromised app. This allows <code>AKServer<\/code> to execute custom malicious payloads tailored to the specific app it has targeted.<\/p>\n<h3 id=\"akserver-architecture\">AKServer architecture<\/h3>\n<p>At the start of its execution, <code>AKServer<\/code> sends two protected broadcasts: <code>com.action.SystemOptimizeService<\/code> and <code>com.action.SystemProtectService<\/code>. As previously described, the first broadcast delivers an interface instance to other AKClient-infected processes for interacting with <code>AKServer<\/code>. Along with the <code>com.action.SystemProtectService<\/code> message, an instance of another interface for interacting with <code>AKServer<\/code> is transmitted. Malicious modules downloaded within the contexts of other apps can use this interface to:<\/p>\n<ul>\n<li>Grant any permission to an arbitrary app on the device.<\/li>\n<li>Revoke any permission from an arbitrary app on the device.<\/li>\n<li>Retrieve the device\u2019s geolocation.<\/li>\n<li>Exfiltrate device information.<\/li>\n<\/ul>\n<div id=\"attachment_118924\" style=\"width: 583px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118924\" class=\"size-full wp-image-118924\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6.png\" alt=\"Malicious interface for permission management and device data collection\" width=\"573\" height=\"497\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6.png 573w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6-300x260.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6-404x350.png 404w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200117\/keenadu-android6-323x280.png 323w\" sizes=\"auto, (max-width: 573px) 100vw, 573px\"><\/a><\/p>\n<p id=\"caption-attachment-118924\" class=\"wp-caption-text\">Malicious interface for permission management and device data collection<\/p>\n<\/div>\n<p>Once interaction between the server and client components is established, <code>AKServer<\/code> launches its primary malicious task, titled <code>MainWorker<\/code>. Upon its initial launch, <code>MainWorker<\/code> logs the current system time. Following this, the malware checks the device\u2019s language settings and time zone. If the interface language is a Chinese dialect and the device is located within a Chinese time zone, the malware terminates. It also remains inactive if either the Google Play Store or Google Play Services are absent from the device. If the device passes these checks, the Trojan initiates the <code>PluginTask<\/code> task. At the start of its routine, <code>PluginTask<\/code> decrypts the command-and-control server addresses from the code as follows:<\/p>\n<ol>\n<li>The encrypted address string is decoded using Base64.<\/li>\n<li>The resulting data, a gzip-compressed buffer, is then decompressed.<\/li>\n<li>The decompressed data is decrypted using AES-128 in CFB mode. The decryption key is the MD5 hash of the string <code>\"ota.host.ba60d29da7fd4794b5c5f732916f7d5c\"<\/code>, and the initialization vector is the string <code>\"0102030405060708\"<\/code>.<\/li>\n<\/ol>\n<p>After decrypting the C2 server addresses, the Trojan collects victim device metadata, such as the model, IMEI, MAC address, and OS version, and encrypts it using the same method as the server addresses, but this time it utilizes the MD5 hash of the string <code>\"ota.api.bbf6e0a947a5f41d7f5226affcfd858c\"<\/code> as the AES key. The encrypted data is sent to the C2 server via a POST request to the path <code>\/ak\/api\/pts\/v4<\/code><a name=\"request\"><\/a>. The request parameters include two values:<\/p>\n<ul>\n<li>m: the MD5 hash of the device IMEI<\/li>\n<li>n: the network connection type (\u201cw\u201d for Wi-Fi, and \u201cm\u201d for mobile data)<\/li>\n<\/ul>\n<p>The response from the C2 server contains a code field, which may hold an error <code>code<\/code> returned by the server. If this field has a zero value, no error has occurred. In this case, the response will include a <code>data<\/code> field: a JSON object encrypted in the same manner as the request data and containing information about the payloads.<\/p>\n<h2 id=\"how-keenadu-compromised-libandroid_runtime-so\">How Keenadu compromised libandroid_runtime.so<\/h2>\n<p>After analyzing the initial infection stages, we set out to determine exactly how the backdoor was being integrated into Android device firmware. Almost immediately, we discovered public reports from Alldocube tablet users regarding suspicious DNS queries originating from their devices. This vendor had previously acknowledged the presence of malware in one of its tablet models. However, the company\u2019s <a href=\"https:\/\/www.alldocube.com\/en\/forums\/topic\/11680\/\" target=\"_blank\" rel=\"noopener\">statement<\/a> contained no specifics regarding which malware had compromised the devices or how the breach occurred. We will attempt to answer these questions.<\/p>\n<div id=\"attachment_118925\" style=\"width: 720px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118925\" class=\"size-full wp-image-118925\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7.png\" alt=\"User complaints regarding suspicious DNS queries\" width=\"710\" height=\"369\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7.png 710w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7-300x156.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7-673x350.png 673w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13200413\/keenadu-android7-539x280.png 539w\" sizes=\"auto, (max-width: 710px) 100vw, 710px\"><\/a><\/p>\n<p id=\"caption-attachment-118925\" class=\"wp-caption-text\">User complaints regarding suspicious DNS queries<\/p>\n<\/div>\n<p>The DNS queries described by the original complainant also appeared suspicious to us. According to our telemetry, the Keenadu C2 domains obtained at that time resolved to the IP addresses listed below:<\/p>\n<ul>\n<li>67.198.232[.]4<\/li>\n<li>67.198.232[.]187<\/li>\n<\/ul>\n<p>The domains keepgo123[.]com and gsonx[.]com mentioned in the complaint resolved to these same addresses, which may indicate that the complainant\u2019s tablet was also infected with Keenadu. However, matching IP addresses alone is insufficient for a definitive attribution. To test this hypothesis, it was necessary to examine the device itself. We considered purchasing the same tablet model, but this proved unnecessary: as it turns out, Alldocube publishes firmware archives for its devices publicly, allowing anyone to audit them for malware.<\/p>\n<p>To analyze the firmware, one must first determine the storage format of its contents. Alldocube firmware packages are RAR archives containing various image files, other types of files, and a Windows-based flashing utility. From an analytical standpoint, the Android file system holds the most value. Its primary partitions, including the system partition, are contained within the image file <code>super.img<\/code>. This is an Android Sparse Image. For the sake of brevity, we will omit a technical breakdown of this format (which can be reconstructed from the <code>libsparse<\/code> <a href=\"https:\/\/cs.android.com\/android\/platform\/superproject\/main\/+\/main:system\/core\/libsparse\/sparse_format.h\" target=\"_blank\" rel=\"noopener\">code<\/a>); it is sufficient to note that there are open-source <a href=\"https:\/\/github.com\/unix3dgforce\/lpunpack\" target=\"_blank\" rel=\"noopener\">utilities<\/a> to extract partitions from these files in the form of standard file system images.<\/p>\n<p>We extracted <code>libandroid_runtime.so<\/code> from the Alldocube iPlay 50 mini Pro (T811M) firmware dated August 18, 2023. Upon examining the library, we discovered the Keenadu backdoor. Furthermore, we decrypted the payload and extracted C2 server addresses hosted on the keepgo123[.]com and gsonx[.]com domains, confirming the user\u2019s suspicions: their devices were indeed infected with this backdoor. Notably, all subsequent firmware versions for this model also proved to be infected, including those released after the vendor\u2019s public statement.<\/p>\n<p>Special attention should be paid to the firmware for the Alldocube iPlay 50 mini Pro NFE model. The \u201cNFE\u201d (Netflix Enabled) part of the name indicates that these devices include an additional DRM module to support high-quality streaming. To achieve this, they must meet the Widevine L1 standard under the <a href=\"https:\/\/developers.google.com\/widevine\/drm\/overview\" target=\"_blank\" rel=\"noopener\">Google Widevine DRM<\/a> premium media protection system. Consequently, they process media within a TEE (Trusted Execution Environment), which mitigates the risk of untrusted code accessing content and thus prevents unauthorized media copying. While Widevine certification failed to protect these devices from infection, the initial Alldocube iPlay 50 mini Pro NFE firmware (released November 7, 2023) was clean \u2013 unlike other models\u2019 initial firmware. However, every subsequent version, including the latest release from May 20, 2024, contained Keenadu.<\/p>\n<p>During our analysis of the Alldocube device firmware, we discovered that all images carried valid digital signatures. This implies that simply compromising an OTA update server would have been insufficient for an attacker to inject the backdoor into <code>libandroid_runtime.so<\/code>. They would also need to gain possession of the private signing keys, which normally should not be accessible from an OTA server. Consequently, it is highly probable that the Trojan was integrated into the firmware during the build phase.<\/p>\n<p>Furthermore, we have found a static library, <code>libVndxUtils.a<\/code> (MD5:\u00a0ca98ae7ab25ce144927a46b7fee6bd21), containing the Keenadu code, which further supports our hypothesis. This malicious library is written in C++ and was compiled using the CMake build system. Interestingly, the library retained absolute file paths to the source code on the developer\u2019s machine:<\/p>\n<ul>\n<li>D:workgitzhosak-clientak-clientloadersrcmaincpp__log_native_load.cpp: this file contains the dropper code.<\/li>\n<li>D:workgitzhosak-clientak-clientloadersrcmaincpp__log_native_data.cpp: this file contains the RC4-encrypted payload along with its size metadata.<\/li>\n<\/ul>\n<p>The dropper\u2019s entry point is the function <code>__log_check_tag_count<\/code>. The attacker inserted a call to this function directly into the implementation of the <code>println_native<\/code> method.<\/p>\n<div id=\"attachment_118926\" style=\"width: 828px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118926\" class=\"size-full wp-image-118926\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8.png\" alt=\"Code snippet where the attacker inserted the malicious call\" width=\"818\" height=\"590\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8.png 818w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-300x216.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-768x554.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-485x350.png 485w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-740x534.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-388x280.png 388w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201632\/keenadu-android8-800x577.png 800w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\"><\/a><\/p>\n<p id=\"caption-attachment-118926\" class=\"wp-caption-text\">Code snippet where the attacker inserted the malicious call<\/p>\n<\/div>\n<p>According to our data, the malicious dependency was located within the firmware source code repository at the following paths:<\/p>\n<ul>\n<li>vendor\/mediatek\/proprietary\/external\/libutils\/arm\/libVndxUtils.a<\/li>\n<li>vendor\/mediatek\/proprietary\/external\/libutils\/arm64\/libVndxUtils.a<\/li>\n<\/ul>\n<p>Interestingly, the Trojan within <code>libandroid_runtime.so<\/code> decrypts and writes the payload to disk at <code>\/data\/dalvik-cache\/arm[64]\/system@framework@vndx_10x.jar@classes.jar<\/code>. The attacker most likely attempted to disguise the malicious <code>libandroid_runtime.so <\/code> dependency as a supposedly legitimate \u201cvndx\u201d component containing proprietary code from MediaTek. In reality, no such component exists in MediaTek products.<\/p>\n<p>Finally, according to our telemetry, the Trojan is found not only in Alldocube devices but also in hardware from other manufacturers. In all instances, the backdoor is embedded within tablet firmware. We have notified these vendors about the compromise.<\/p>\n<p>Based on the evidence presented above, we believe that Keenadu was integrated into Android device firmware as the result of a supply chain attack. One stage of the firmware supply chain was compromised, leading to the inclusion of a malicious dependency within the source code. Consequently, the vendors may have been unaware that their devices were infected prior to reaching the market.<\/p>\n<h2 id=\"keenadu-backdoor-modules\">Keenadu backdoor modules<\/h2>\n<p>As previously noted, the inherent architecture of Keenadu allows attackers to gain virtually unrestricted control over the victim\u2019s device. To understand exactly how they leveraged this capability, we analyzed the payloads downloaded by the backdoor. To achieve this, we crafted a request to the C2 server, masquerading as an infected device. Initially, the C2 server did not deliver any files; instead, it returned a timestamp for the next check-in, scheduled 2.5 months after the initial request. Through black-box analysis of the C2 server, we determined that the request includes the backdoor\u2019s activation time; if 2.5 months have not elapsed since that moment, the C2 will not serve any payloads. This is likely a technique designed to complicate analysis and minimize the probability of these payloads being detected. Once we modified the activation time in our request to a sufficiently distant date in the past, the C2 server returned the list of payloads for analysis.<\/p>\n<p>The attacker\u2019s server delivers information about the payloads as an object array. Each object contains a download link for the payload, its MD5 hash, target app package names, target process names, and other metadata. An example of such an object is provided below. Notably, the attackers chose Amazon AWS as their CDN provider.<\/p>\n<div id=\"attachment_118927\" style=\"width: 912px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118927\" class=\"size-full wp-image-118927\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9.png\" alt=\"Example of payload metadata\" width=\"902\" height=\"362\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9.png 902w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-300x120.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-768x308.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-872x350.png 872w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-740x297.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-698x280.png 698w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/13201857\/keenadu-android9-800x321.png 800w\" sizes=\"auto, (max-width: 902px) 100vw, 902px\"><\/a><\/p>\n<p id=\"caption-attachment-118927\" class=\"wp-caption-text\">Example of payload metadata<\/p>\n<\/div>\n<p>Files downloaded by Keenadu utilize a proprietary format to store the encrypted payload and its configuration. A pseudocode description of this format is presented below (<code>struct KeenaduPayload<\/code>):<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">struct KeenaduChunk {\n    uint32_t size;\n    uint8_t data[size];\n} __packed;\n\nstruct KeenaduPayload {\n    int32_t version;\n    uint8_t padding[0x100];\n    uint8_t salt[0x20];\n    KeenaduChunk config;\n    KeenaduChunk payload;\n    KeenaduChunk signature;\n} __packed;<\/pre>\n<p>\nAfter downloading, Keenadu verifies the file integrity using MD5. The Trojan\u2019s creators also implemented a code-signing mechanism using the DSA algorithm. The signature is verified before the payload is decrypted and executed. This ensures that only an attacker in possession of the private key can generate malicious payloads. Upon successful verification, the configuration and the malicious module are decrypted using AES-128 in CFB mode. The decryption key is the MD5 hash of the string that is a concatenation of <code>\"37d9a33df833c0d6f11f1b8079aaa2dc\"<\/code> and a salt, while the initialization vector is the string <code>\"0102030405060708\"<\/code>.<\/p>\n<p>The configuration contains information regarding the module\u2019s entry and exit points, its name, and its version. An example configuration for one of the modules is provided below.<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">{\n    \"stopMethod\": \"stop\",\n    \"startMethod\": \"start\",\n    \"pluginId\": \"com.ak.p.wp\",\n    \"service\": \"1\",\n    \"cn\": \"com.ak.p.d.MainApi\",\n    \"m_uninit\": \"stop\",\n    \"version\": \"3117\",\n    \"clazzName\": \"com.ak.p.d.MainApi\",\n    \"m_init\": \"start\"\n}<\/pre>\n<p>\nHaving outlined the backdoor\u2019s algorithm for loading malicious modules, we will now proceed to their analysis.<\/p>\n<h3 id=\"keenadu-loader\">Keenadu loader<\/h3>\n<p>This module (MD5:\u00a04c4ca7a2a25dbe15a4a39c11cfef2fb2) targets popular online storefronts with the following package names:<\/p>\n<ul>\n<li>com.amazon.mShop.android.shopping (Amazon)<\/li>\n<li>com.zzkko (SHEIN)<\/li>\n<li>com.einnovation.temu (Temu)<\/li>\n<\/ul>\n<p>The entry point is the <code>start<\/code> method of the <code>com.ak.p.d.MainApi<\/code> class. This class initiates a malicious task named HsTask, which serves as a loader conceptually similar to <code>AKServer<\/code>. Upon execution, the loader collects victim device metadata (model, IMEI, MAC address, OS version, and so on) as well as information regarding the specific app within which it is running. The collected data is encoded using the same method as the <code>AKServer<\/code> <a href=\"https:\/\/securelist.com\/keenadu-android-backdoor\/118913\/#request\">requests<\/a> sent to <code>\/ak\/api\/pts\/v4<\/code>. Once encoded, the loader exfiltrates the data via a POST request to the C2 server at <code>\/ota\/api\/tasks\/v3<\/code>.<\/p>\n<div id=\"attachment_118929\" style=\"width: 575px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118929\" class=\"size-full wp-image-118929\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10.png\" alt=\"Data collection via the plugin\" width=\"565\" height=\"742\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10.png 565w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10-228x300.png 228w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10-267x350.png 267w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210615\/keenadu-android10-213x280.png 213w\" sizes=\"auto, (max-width: 565px) 100vw, 565px\"><\/a><\/p>\n<p id=\"caption-attachment-118929\" class=\"wp-caption-text\">Data collection via the plugin<\/p>\n<\/div>\n<p>In response, the attackers\u2019 server returns a list of modules for download and execution, as well as a list of APK files to install on the victim\u2019s device. Interestingly, in newer Android versions, the delivery of these APKs is implemented via <a href=\"https:\/\/developer.android.com\/reference\/android\/content\/pm\/PackageInstaller.Session\" target=\"_blank\" rel=\"noopener\">installation sessions<\/a>. This is likely an attempt by the malware to bypass restrictions introduced in recent OS versions, which prevent sideloaded apps from accessing sensitive permissions \u2013 specifically accessibility services.<\/p>\n<div id=\"attachment_118930\" style=\"width: 802px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118930\" class=\"size-full wp-image-118930\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11.png\" alt=\"Use of an installation session\" width=\"792\" height=\"270\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11.png 792w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11-300x102.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11-768x262.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210703\/keenadu-android11-740x252.png 740w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\"><\/a><\/p>\n<p id=\"caption-attachment-118930\" class=\"wp-caption-text\">Use of an installation session<\/p>\n<\/div>\n<p>Unfortunately, during our research, we were unable to obtain samples of the specific modules and APK files downloaded by this loader. However, users online have reported that infected tablets were adding items to marketplace shopping carts without the user\u2019s knowledge.<\/p>\n<div id=\"attachment_118931\" style=\"width: 718px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210739\/keenadu-android12.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118931\" class=\"size-full wp-image-118931\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210739\/keenadu-android12.png\" alt=\"User complaint on Reddit\" width=\"708\" height=\"213\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210739\/keenadu-android12.png 708w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210739\/keenadu-android12-300x90.png 300w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\"><\/a><\/p>\n<p id=\"caption-attachment-118931\" class=\"wp-caption-text\">User complaint on Reddit<\/p>\n<\/div>\n<h3 id=\"clicker-loader\">Clicker loader<\/h3>\n<p>These modules (such as ad60f46e724d88af6bcacb8c269ac3c1) are injected into the following apps:<\/p>\n<ul>\n<li>Wallpaper (com.android.wallpaper)<\/li>\n<li>YouTube (com.google.android.youtube)<\/li>\n<li>Facebook (com.facebook.katana)<\/li>\n<li>Digital Wellbeing (com.google.android.apps.wellbeing)<\/li>\n<li>System launcher (com.android.launcher3)<\/li>\n<\/ul>\n<p>Upon execution, the malicious module retrieves the device\u2019s location and IP address using a GeoIP service deployed on the attackers\u2019 C2 server. This data, along with the network connection type and OS version, is exfiltrated to the C2. In response, the server returns a specially formatted file containing an encrypted JSON object with payload information, as well as a XOR key for decryption. The structure of this file is described below using pseudocode:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">struct Payload {\n    uint8_t magic[10]; \/\/ == \"encrypttag\"\n    uint8_t keyLen;\n    uint8_t xorKey[keyLen];\n    uint8_t payload[];\n} __packed;<\/pre>\n<p>\nThe decrypted JSON consists of an array of objects containing download links for the payloads and their respective entry points. An example of such an object is provided below. The payloads themselves are encrypted using the same logic as the JSON.<\/p>\n<div id=\"attachment_118932\" style=\"width: 618px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210913\/keenadu-android13.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118932\" class=\"size-full wp-image-118932\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210913\/keenadu-android13.png\" alt=\"Example of payload metadata\" width=\"608\" height=\"247\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210913\/keenadu-android13.png 608w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15210913\/keenadu-android13-300x122.png 300w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\"><\/a><\/p>\n<p id=\"caption-attachment-118932\" class=\"wp-caption-text\">Example of payload metadata<\/p>\n<\/div>\n<p>In the course of our research, we obtained several payloads whose primary objective was to interact with advertising elements on various themed websites: gaming, recipes, and news. Each specific module interacts with one particular website whose address is hardcoded into its source.<\/p>\n<h3 id=\"google-chrome-module\">Google Chrome module<\/h3>\n<p>This module (MD5: 912bc4f756f18049b241934f62bfb06c) targets the Google Chrome browser (<code>com.android.chrome<\/code>). At the start of its execution, it registers an Activity Lifecycle Callback handler. Whenever an activity is launched within the target app, this handler checks its name. If the name matches the string <code>\"ChromeTabbedActivity\"<\/code>, the Trojan searches for a text input field (used for search queries and URLs) named <code>url_bar<\/code>.<\/p>\n<div id=\"attachment_118933\" style=\"width: 540px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211354\/keenadu-android14.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118933\" class=\"size-full wp-image-118933\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211354\/keenadu-android14.png\" alt=\"Searching for the url_bar text element\" width=\"530\" height=\"231\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211354\/keenadu-android14.png 530w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211354\/keenadu-android14-300x131.png 300w\" sizes=\"auto, (max-width: 530px) 100vw, 530px\"><\/a><\/p>\n<p id=\"caption-attachment-118933\" class=\"wp-caption-text\">Searching for the url_bar text element<\/p>\n<\/div>\n<p>If the element is found, the malware monitors text changes within it. All search queries entered by the user into the <code>url_bar<\/code> field are exfiltrated to the attackers\u2019 server. Furthermore, once the user finishes typing a query, the Trojan can hijack the search request and redirect it to a different search engine, depending on the configuration received from the C2 server.<\/p>\n<div id=\"attachment_118934\" style=\"width: 681px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118934\" class=\"size-full wp-image-118934\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15.png\" alt=\"Search engine hijacking\" width=\"671\" height=\"381\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15.png 671w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15-300x170.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15-616x350.png 616w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15211637\/keenadu-android15-493x280.png 493w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\"><\/a><\/p>\n<p id=\"caption-attachment-118934\" class=\"wp-caption-text\">Search engine hijacking<\/p>\n<\/div>\n<p>It is worth noting that the hijacking attempt may fail if the user selects a query from the autocomplete suggestions; in this scenario, the user does not hit Enter or tap the search button in the <code>url_bar<\/code>, which would signal the malware to trigger the redirect. However, the attackers anticipated this too. The Trojan attempts to locate the <code>omnibox_suggestions_dropdown<\/code> element within the current activity, a ViewGroup containing the search suggestions. The malware monitors taps on these suggestions and proceeds to redirect the search engine regardless.<\/p>\n<div id=\"attachment_118935\" style=\"width: 676px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212040\/keenadu-android16.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118935\" class=\"size-full wp-image-118935\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212040\/keenadu-android16.png\" alt=\"Search engine hijacking upon selecting a browser-suggested option\" width=\"666\" height=\"315\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212040\/keenadu-android16.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212040\/keenadu-android16-300x142.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212040\/keenadu-android16-592x280.png 592w\" sizes=\"auto, (max-width: 666px) 100vw, 666px\"><\/a><\/p>\n<p id=\"caption-attachment-118935\" class=\"wp-caption-text\">Search engine hijacking upon selecting a browser-suggested option<\/p>\n<\/div>\n<h3 id=\"the-nova-phantom-clicker\">The Nova (Phantom) clicker<\/h3>\n<p>The initial version of this module (MD5:\u00a0f0184f6955479d631ea4b1ea0f38a35d) was a clicker embedded within the system wallpaper picker (<code>com.android.wallpaper<\/code>). Researchers at Dr. Web <a href=\"https:\/\/news.drweb.com\/show\/?lng=en&amp;i=15110&amp;c=5\" target=\"_blank\" rel=\"noopener\">discovered<\/a> it concurrently with our investigation; however, their report did not mention the clicker\u2019s distribution vector via the Keenadu backdoor. The module utilizes machine learning and WebRTC to interact with advertising elements. While our colleagues at Dr. Web named it Phantom, the C2 server refers to it as Nova. Furthermore, the task executed within the code is named <code>NovaTask<\/code>. Based on this, we believe the original name of the clicker is Nova.<\/p>\n<div id=\"attachment_118936\" style=\"width: 910px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118936\" class=\"size-full wp-image-118936\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17.png\" alt=\"Nova as the plugin name\" width=\"900\" height=\"357\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17.png 900w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-300x119.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-768x305.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-882x350.png 882w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-740x294.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-706x280.png 706w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212211\/keenadu-android17-800x317.png 800w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\"><\/a><\/p>\n<p id=\"caption-attachment-118936\" class=\"wp-caption-text\">Nova as the plugin name<\/p>\n<\/div>\n<p>It is also worth noting that shortly after the publication of the report on this clicker, the Keenadu C2 server began deleting it from infected devices. This is likely a strategic move by the attackers to evade further detection.<\/p>\n<div id=\"attachment_118937\" style=\"width: 525px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212248\/keenadu-android18.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118937\" class=\"size-full wp-image-118937\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212248\/keenadu-android18.png\" alt=\"Request to unload the Nova module\" width=\"515\" height=\"211\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212248\/keenadu-android18.png 515w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212248\/keenadu-android18-300x123.png 300w\" sizes=\"auto, (max-width: 515px) 100vw, 515px\"><\/a><\/p>\n<p id=\"caption-attachment-118937\" class=\"wp-caption-text\">Request to unload the Nova module<\/p>\n<\/div>\n<p>Interestingly, in the unload request, the Nova module appeared under a slightly different name. We believe this new name disguises the latest version of the module, which functions as a loader capable of downloading the following components:<\/p>\n<ul>\n<li>The Nova clicker.<\/li>\n<li>A Spyware module which exfiltrates various types of victim device information to the attackers\u2019 server.<\/li>\n<li>The Gegu SDK dropper. According to our data, this is a multi-stage dropper that launches two additional clickers.<\/li>\n<\/ul>\n<h3 id=\"install-monetization\">Install monetization<\/h3>\n<p>A module with the MD5 hash 3dae1f297098fa9d9d4ee0335f0aeed3 is embedded into the system launcher (<code>com.android.launcher3<\/code>). Upon initialization, it runs an environment check for virtual machine artifacts. If none are detected, the malware registers an event handler for session-based app installations.<\/p>\n<div id=\"attachment_118938\" style=\"width: 680px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212408\/keenadu-android19.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118938\" class=\"size-full wp-image-118938\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212408\/keenadu-android19.png\" alt=\"Handler registration\" width=\"670\" height=\"321\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212408\/keenadu-android19.png 670w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212408\/keenadu-android19-300x144.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212408\/keenadu-android19-584x280.png 584w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\"><\/a><\/p>\n<p id=\"caption-attachment-118938\" class=\"wp-caption-text\">Handler registration<\/p>\n<\/div>\n<p>Simultaneously, the module requests a configuration file from the C2 server. An example of this configuration is provided below.<\/p>\n<div id=\"attachment_118939\" style=\"width: 703px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212442\/keenadu-android20.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118939\" class=\"size-full wp-image-118939\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212442\/keenadu-android20.png\" alt=\"Example of a monetization module configuration\" width=\"693\" height=\"174\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212442\/keenadu-android20.png 693w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212442\/keenadu-android20-300x75.png 300w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\"><\/a><\/p>\n<p id=\"caption-attachment-118939\" class=\"wp-caption-text\">Example of a monetization module configuration<\/p>\n<\/div>\n<p>When an app installation is initiated on the device, the Trojan transmits data on this app to the C2 server. In response, the server provides information regarding the specific ad used to promote it.<\/p>\n<div id=\"attachment_118940\" style=\"width: 660px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118940\" class=\"size-full wp-image-118940\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21.png\" alt=\"App ad source information\" width=\"650\" height=\"720\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21.png 650w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21-271x300.png 271w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21-316x350.png 316w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212536\/keenadu-android21-253x280.png 253w\" sizes=\"auto, (max-width: 650px) 100vw, 650px\"><\/a><\/p>\n<p id=\"caption-attachment-118940\" class=\"wp-caption-text\">App ad source information<\/p>\n<\/div>\n<p>For every successfully completed installation session, the Trojan executes GET requests to the URL provided in the <code>tracking_link<\/code> field in the response, as well as the first link within the <code>click<\/code> array. Based on the source code, the links in the <code>click<\/code> array serve as templates into which various advertising identifiers are injected. The attackers most likely use this method to monetize app installations. By simulating traffic from the victim\u2019s device, the Trojan deceives advertising platforms into believing that the app was installed from a legitimate ad tap.<\/p>\n<h3 id=\"google-play-module\">Google Play module<\/h3>\n<p>Even though <code>AKClient<\/code> shuts down if it is injected into Google Play process, the C2 server have provided us with a payload for it. This module (MD5: 529632abf8246dfe555153de6ae2a9df) retrieves the Google Ads advertising ID and stores it via a global instance of the <code>Settings<\/code> class under the key <code>S_GA_ID3<\/code>. Subsequently, other modules may utilize this value as a victim identifier.<\/p>\n<div id=\"attachment_118941\" style=\"width: 821px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118941\" class=\"size-full wp-image-118941\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22.png\" alt=\"Retrieving the advertising ID\" width=\"811\" height=\"399\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22.png 811w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-300x148.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-768x378.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-711x350.png 711w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-740x364.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-569x280.png 569w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212753\/keenadu-android22-800x394.png 800w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\"><\/a><\/p>\n<p id=\"caption-attachment-118941\" class=\"wp-caption-text\">Retrieving the advertising ID<\/p>\n<\/div>\n<h2 id=\"other-keenadu-distribution-vectors\">Other Keenadu distribution vectors<\/h2>\n<p>During our investigation, we decided to look for alternative sources of Keenadu infections. We discovered that several of the modules described above appeared in attacks that were not linked to the compromise of <code>libandroid_runtime.so<\/code>. Below are the details of these alternative vectors.<\/p>\n<h3 id=\"system-apps\">System apps<\/h3>\n<p>According to our telemetry, the Keenadu loader was found within various system apps in the firmware of several devices. One such app (MD5:\u00a0d840a70f2610b78493c41b1a344b6893) was a face recognition service with the package name <code>com.aiworks.faceidservice<\/code>. It contains a set of trained machine-learning models used for facial recognition \u2013 specifically for authorizing users via Face ID. To facilitate this, the app defines a service named <code>com.aiworks.lock.face.service.FaceLockService<\/code>, which the system UI (<code>com.android.systemui<\/code>) utilizes to unlock the device.<\/p>\n<div id=\"attachment_118942\" style=\"width: 852px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118942\" class=\"size-full wp-image-118942\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23.png\" alt=\"Using the face recognition service in the System UI\" width=\"842\" height=\"220\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23.png 842w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23-300x78.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23-768x201.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23-740x193.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15212954\/keenadu-android23-800x209.png 800w\" sizes=\"auto, (max-width: 842px) 100vw, 842px\"><\/a><\/p>\n<p id=\"caption-attachment-118942\" class=\"wp-caption-text\">Using the face recognition service in the System UI<\/p>\n<\/div>\n<p>\u00a0<\/p>\n<p>Within the <code>onCreate<\/code> method of the <code>com.aiworks.lock.face.service<\/code>.FaceLockService, triggered upon that service\u2019s creation, three receivers are registered. These receivers monitor screen on\/off events, the start of charging, and the availability of network access. Each of these receivers calls the <code>startMars<\/code> method whose primary purpose is to initialize the malicious loader by calling the <code>init<\/code> method of the <code>com.hs.client.TEUtils<\/code> class.<\/p>\n<div id=\"attachment_118943\" style=\"width: 546px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118943\" class=\"size-full wp-image-118943\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24.png\" alt=\"Malicious call\" width=\"536\" height=\"358\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24.png 536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24-300x200.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24-524x350.png 524w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213143\/keenadu-android24-419x280.png 419w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\"><\/a><\/p>\n<p id=\"caption-attachment-118943\" class=\"wp-caption-text\">Malicious call<\/p>\n<\/div>\n<p>The loader is a slightly modified version of the Keenadu loader. This specific variant utilizes a native library <code>libhshelper.so<\/code> to load modules and facilitate APK installs. To accomplish this, the library defines corresponding native methods within the <code>com.hs.helper.NativeMain<\/code> class.<\/p>\n<div id=\"attachment_118944\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213310\/keenadu-android25.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118944\" class=\"size-full wp-image-118944\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213310\/keenadu-android25.png\" alt=\"Native methods defined by the library\" width=\"624\" height=\"255\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213310\/keenadu-android25.png 624w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213310\/keenadu-android25-300x123.png 300w\" sizes=\"auto, (max-width: 624px) 100vw, 624px\"><\/a><\/p>\n<p id=\"caption-attachment-118944\" class=\"wp-caption-text\">Native methods defined by the library<\/p>\n<\/div>\n<p>This specific attack vector \u2013 embedding a loader within system apps \u2013 is not inherently new. We have previously documented similar cases, such as the Dwphon loader, which was integrated into system apps responsible for OTA updates. However, this marks the first time we have encountered a Trojan embedded within a facial recognition service.<\/p>\n<p>In addition to the face recognition service, we identified other system apps infected with the Keenadu loader. These included the launcher app on certain devices (MD5:\u00a0382764921919868d810a5cf0391ea193). A malicious service, <code>com.pri.appcenter.service.RemoteService<\/code>, was embedded into these apps to trigger the Trojan\u2019s execution.<\/p>\n<p>We also discovered the Keenadu loader within the app with package name <code>com.tct.contentcenter<\/code> (MD5:\u00a0d07eb2db2621c425bda0f046b736e372). This app contains the advertising SDK <code>fwtec<\/code>, which retrieved its configuration via an HTTP GET request to hxxps:\/\/trends.search-hub[.]cn\/vuGs8 with default redirection disabled. In response, the Trojan expected a 302 redirect code where the Location header provided an URL containing the SDK configuration within its parameters. One specific parameter, <code>hsby_search_switch<\/code>, controlled the activation of the Keenadu loader: if its value was set to 1, the loader would initialize within the app.<\/p>\n<div id=\"attachment_118945\" style=\"width: 785px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118945\" class=\"size-full wp-image-118945\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26.png\" alt=\"Retrieving the configuration from the C2\" width=\"775\" height=\"560\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26.png 775w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26-300x217.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26-768x555.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26-484x350.png 484w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26-740x535.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213529\/keenadu-android26-388x280.png 388w\" sizes=\"auto, (max-width: 775px) 100vw, 775px\"><\/a><\/p>\n<p id=\"caption-attachment-118945\" class=\"wp-caption-text\">Retrieving the configuration from the C2<\/p>\n<\/div>\n<h3 id=\"loading-via-other-backdoors\">Loading via other backdoors<\/h3>\n<p>While analyzing our telemetry, we discovered an unusual version of the Keenadu loader (MD5:\u00a0f53c6ee141df2083e0200a514ba19e32) located in the directories of various apps within external storage, specifically at paths following the pattern: <code>\/storage\/emulated\/0\/Android\/data\/%PACKAGE%\/files\/.dx\/<\/code>. Based on the code analysis, this loader was designed to operate within a system where the <code>system_server<\/code> process had already been compromised. Notably, the binder interface names used in this version differed from those used by <code>AKServer<\/code>. The loader utilized the following interfaces:<\/p>\n<ul>\n<li>com.androidextlib.sloth.api.IPServiceM<\/li>\n<li>com.androidextlib.sloth.api.IPermissionsM<\/li>\n<\/ul>\n<p>These same binder interfaces are defined by another backdoor that is structured similarly and was also discovered within <code>libandroid_runtime.so<\/code>. The execution of this other backdoor on infected devices proceeds as follows: <code>libandroid_runtime.so<\/code> imports a malicious function <code>__android_log_check_loggable<\/code> from the <code>liblog.so<\/code> library (MD5:\u00a03d185f30b00270e7e30fc4e29a68237f). This function is called within the implementation of the <code>println_native<\/code> native method of the <code>android.util.Log class<\/code>. It decrypts a payload embedded in the library\u2019s body using a single-byte XOR and executes it within the context of all apps on the device.<\/p>\n<div id=\"attachment_118946\" style=\"width: 793px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118946\" class=\"size-full wp-image-118946\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27.png\" alt=\"Payload decryption\" width=\"783\" height=\"663\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27.png 783w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27-300x254.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27-768x650.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27-413x350.png 413w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27-740x627.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15213921\/keenadu-android27-331x280.png 331w\" sizes=\"auto, (max-width: 783px) 100vw, 783px\"><\/a><\/p>\n<p id=\"caption-attachment-118946\" class=\"wp-caption-text\">Payload decryption<\/p>\n<\/div>\n<p>The payload shares many similarities with BADBOX, a comprehensive malware platform first <a href=\"https:\/\/www.humansecurity.com\/wp-content\/themes\/human\/hubspot\/hubfs\/HUMAN_Report_BADBOX-and-PEACHPIT.pdf\" target=\"_blank\" rel=\"noopener\">described<\/a> by researchers at HUMAN Security. Specifically, the C2 server paths used for the Trojan\u2019s HTTP requests are a match. This leads us to believe that this is a specific variant of BADBOX.<\/p>\n<div id=\"attachment_118947\" style=\"width: 625px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118947\" class=\"size-full wp-image-118947\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28.png\" alt=\"The path \/terminal\/client\/register was previously documented in a HUMAN Security report\" width=\"615\" height=\"392\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28.png 615w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28-300x191.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28-549x350.png 549w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214041\/keenadu-android28-439x280.png 439w\" sizes=\"auto, (max-width: 615px) 100vw, 615px\"><\/a><\/p>\n<p id=\"caption-attachment-118947\" class=\"wp-caption-text\">The path \/terminal\/client\/register was previously documented in a HUMAN Security report<\/p>\n<\/div>\n<p>Within this backdoor, we also discovered the binder interfaces utilized by the aforementioned Keenadu loader. This suggests that those specific instances of Keenadu were deployed directly by BADBOX.<\/p>\n<div id=\"attachment_118948\" style=\"width: 777px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118948\" class=\"size-full wp-image-118948\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29.png\" alt=\"One of the binder interfaces used by Keenadu is defined in the payload\" width=\"767\" height=\"563\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29.png 767w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29-300x220.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29-477x350.png 477w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29-740x543.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214126\/keenadu-android29-381x280.png 381w\" sizes=\"auto, (max-width: 767px) 100vw, 767px\"><\/a><\/p>\n<p id=\"caption-attachment-118948\" class=\"wp-caption-text\">One of the binder interfaces used by Keenadu is defined in the payload<\/p>\n<\/div>\n<h3 id=\"modifications-of-popular-apps\">Modifications of popular apps<\/h3>\n<p>Unfortunately, even if your firmware does not contain Keenadu or another pre-installed backdoor, the Trojan still poses a threat to you. The Nova (Phantom) clicker was <a href=\"https:\/\/news.drweb.com\/show\/?lng=en&amp;i=15110&amp;c=5\" target=\"_blank\" rel=\"noopener\">discovered<\/a> by researchers at Dr. Web around the same time as we held our investigation. Their findings highlight a different distribution vector: modified versions of popular software distributed primarily through unofficial sources, as well as various apps found in the GetApps store.<\/p>\n<h3 id=\"google-play\">Google Play<\/h3>\n<p>Infected apps have managed to infiltrate Google Play too. During our research, we identified trojanized software for smart cameras published on the official Android app store. Collectively, these apps had been downloaded more than 300,000 times.<\/p>\n<div id=\"attachment_118949\" style=\"width: 4197px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118949\" class=\"size-full wp-image-118949\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-scaled.png\" alt=\"Examples of infected apps in Google Play\" width=\"4187\" height=\"1034\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-scaled.png 4187w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-300x74.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-1024x253.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-768x190.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-1536x379.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-2048x506.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-1417x350.png 1417w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-740x183.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-1134x280.png 1134w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214220\/keenadu-android30-800x198.png 800w\" sizes=\"auto, (max-width: 4187px) 100vw, 4187px\"><\/a><\/p>\n<p id=\"caption-attachment-118949\" class=\"wp-caption-text\">Examples of infected apps in Google Play<\/p>\n<\/div>\n<p>Each of these apps contained an embedded service named <code>com.arcsoft.closeli.service.KucopdInitService<\/code>, which launched the aforementioned Nova clicker. We alerted Google to the presence of the infected apps in its store, and they removed the malware. Curiously, while the malicious service was present in all identified apps, it was configured to execute only in one specific package: <code>com.taismart.global<\/code>.<\/p>\n<div id=\"attachment_118950\" style=\"width: 1008px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118950\" class=\"size-full wp-image-118950\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31.png\" alt=\"The malicious service was launched only under specific conditions\" width=\"998\" height=\"222\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31.png 998w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31-300x67.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31-768x171.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31-740x165.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214337\/keenadu-android31-800x178.png 800w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\"><\/a><\/p>\n<p id=\"caption-attachment-118950\" class=\"wp-caption-text\">The malicious service was launched only under specific conditions<\/p>\n<\/div>\n<h2 id=\"the-fantastic-four-how-triada-badbox-vo1d-and-keenadu-are-connected\">The Fantastic Four: how Triada, BADBOX, Vo1d, and Keenadu are connected<\/h2>\n<p>After discovering that BADBOX downloads one of the Keenadu modules, we decided to conduct further research to determine if there were any other signs of a connection between these Trojans. As a result, we found that BADBOX and Keenadu shared similarities in the payload code that was decrypted and executed by the malicious code in <code>libandroid_runtime.so<\/code>. We also identified similarities between the Keenadu loader and the BB2DOOR module of the BADBOX Trojan. Given that there are also distinct differences in the code, and considering that BADBOX was downloading the Keenadu loader, we believe these are separate botnets, and the developers of Keenadu likely found inspiration in the BADBOX source code. Furthermore, the authors of Keenadu appear to target Android tablets primarily.<\/p>\n<p>In our recent report on the Triada backdoor, we mentioned that the C2 server for one of its downloaded modules was hosted on the same domain as one of the Vo1d botnet\u2019s servers, which could suggest a link between those two Trojans. However, during the current investigation, we managed to uncover a connection between Triada and the BADBOX botnet as well. As it turns out, the directories where BADBOX downloaded the Keenadu loader also contained other payloads for various apps. Their description warrants a separate report; for the sake of brevity, we will not delve into the details here, limiting ourselves to the analysis of a payload for the Telegram and Instagram clients (MD5:\u00a08900f5737e92a69712481d7a809fcfaa). The entry point for this payload is the <code>com.extlib.apps.InsTGEnter<\/code> class. The payload is designed to steal victims\u2019 account credentials in the infected services. Interestingly, it also contains code for stealing credentials from the WhatsApp client, though it is currently not utilized.<\/p>\n<div id=\"attachment_118951\" style=\"width: 588px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118951\" class=\"size-full wp-image-118951\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32.png\" alt=\"BADBOX payload code used for stealing credentials from WhatsApp clients\" width=\"578\" height=\"414\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32.png 578w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32-300x215.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32-489x350.png 489w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214658\/keenadu-android32-391x280.png 391w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\"><\/a><\/p>\n<p id=\"caption-attachment-118951\" class=\"wp-caption-text\">BADBOX payload code used for stealing credentials from WhatsApp clients<\/p>\n<\/div>\n<p>The C2 server addresses used by the Trojan to exfiltrate device data are stored in the code in an encrypted format. They are first decoded using Base64 and then decrypted via a XOR operation with the string <code>\"xiwljfowkgs\"<\/code>.<\/p>\n<div id=\"attachment_118952\" style=\"width: 983px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118952\" class=\"size-full wp-image-118952\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33.png\" alt=\"Decrypted payload C2 addresses\" width=\"973\" height=\"605\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33.png 973w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-300x187.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-768x478.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-563x350.png 563w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-740x460.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-450x280.png 450w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214742\/keenadu-android33-800x497.png 800w\" sizes=\"auto, (max-width: 973px) 100vw, 973px\"><\/a><\/p>\n<p id=\"caption-attachment-118952\" class=\"wp-caption-text\">Decrypted payload C2 addresses<\/p>\n<\/div>\n<p>After decrypting the C2 addresses, we discovered the domain zcnewy[.]com, which we had previously <a href=\"https:\/\/securelist.com\/malicious-whatsapp-mod-distributed-through-legitimate-apps\/107690\/\" target=\"_blank\" rel=\"noopener\">identified<\/a> in 2022 during our investigation of malicious WhatsApp mods containing Triada. At that time, we assumed that the code segment responsible for stealing WhatsApp credentials and the malicious dropper both belonged to Triada. However, since we have now established that zcnewy[.]com is linked to BADBOX, we believe that the infected WhatsApp modifications we described in 2022 actually contained two distinct Trojans: Triada and BADBOX. To verify this hypothesis, we re-examined one of those modifications (MD5:\u00a0caa640824b0e216fab86402b14447953) and confirmed that it contained the code for both the Triada dropper and a BADBOX module functionally similar to the one described above. Although the Trojans were launched from the same entry point, they did not interact with each other and were structured in entirely different ways. Based on this, we conclude that what we observed in 2022 was a joint attack by the BADBOX and Triada operators.<\/p>\n<div id=\"attachment_118953\" style=\"width: 382px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214907\/keenadu-android34.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118953\" class=\"size-full wp-image-118953\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214907\/keenadu-android34.png\" alt=\"BADBOX and Triada launched from the same entry point\" width=\"372\" height=\"142\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214907\/keenadu-android34.png 372w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15214907\/keenadu-android34-300x115.png 300w\" sizes=\"auto, (max-width: 372px) 100vw, 372px\"><\/a><\/p>\n<p id=\"caption-attachment-118953\" class=\"wp-caption-text\">BADBOX and Triada launched from the same entry point<\/p>\n<\/div>\n<p>These findings show that several of the largest Android botnets are interacting with one another. Currently, we have confirmed links between Triada, Vo1d, and BADBOX, as well as the connection between Keenadu and BADBOX. Researchers at HUMAN Security have also previously <a href=\"https:\/\/www.humansecurity.com\/learn\/blog\/satori-threat-intelligence-disruption-badbox-2-0\/\" target=\"_blank\" rel=\"noopener\">reported<\/a> a connection between Vo1d and BADBOX. It is important to emphasize that these connections are not necessarily transitive. For example, the fact that both Triada and Keenadu are linked to BADBOX does not automatically imply that Triada and Keenadu are directly connected; such a claim would require separate evidence. However, given the current landscape, we would not be surprised if future reports provide the evidence needed to prove the transitivity of these relationships.<\/p>\n<h2 id=\"victims\">Victims<\/h2>\n<p>According to our telemetry, 13,715 users worldwide have encountered Keenadu or its modules. Our security solutions recorded the highest number of users attacked by the malware in Russia, Japan, Germany, Brazil and the Netherlands.<\/p>\n<h2 id=\"recommendations\">Recommendations<\/h2>\n<p>Our technical support team is often asked what steps should be taken if a security solution detects Keenadu on a device. In this section, we examine all possible scenarios for combating this Trojan.<\/p>\n<h3 id=\"if-the-libandroid_runtime-so-library-is-infected\">If the libandroid_runtime.so library is infected<\/h3>\n<p>Modern versions of Android mount the system partition, which contains <code>libandroid_runtime.so<\/code>, as read-only. Even if one were to theoretically assume the possibility of editing this partition, the infected <code>libandroid_runtime.so<\/code> library cannot be removed without damaging the firmware: the device would simply cease to boot. Therefore, it is impossible to eliminate the threat using standard Android OS tools. Operating a device infected with the Keenadu backdoor can involve significant inconveniences. Reviews of infected devices complain about intrusive ads and various mysterious sounds whose source cannot be identified.<\/p>\n<div id=\"attachment_118954\" style=\"width: 921px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-118954\" class=\"size-full wp-image-118954\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35.png\" alt=\"Review of an infected tablet complaining about noise\" width=\"911\" height=\"383\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35.png 911w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-300x126.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-768x323.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-833x350.png 833w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-740x311.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-666x280.png 666w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/15215120\/keenadu-android35-800x336.png 800w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\"><\/a><\/p>\n<p id=\"caption-attachment-118954\" class=\"wp-caption-text\">Review of an infected tablet complaining about noise<\/p>\n<\/div>\n<p>If you encounter the Keenadu backdoor, we recommend the following:<\/p>\n<ul>\n<li>Check for software updates. It is possible that a clean firmware version has already been released for your device. After updating, use a reliable security solution to verify that the issue has been resolved.<\/li>\n<li>If a clean firmware update from the manufacturer does not exist for your device, you can attempt to install a clean firmware yourself. However, it is important to remember that <span style=\"color:red\"><strong>manually flashing a device can brick it<\/strong><\/span>.<\/li>\n<li>Until the firmware is replaced or updated, we recommend that you stop using the infected device.<\/li>\n<\/ul>\n<h3 id=\"if-one-of-the-system-apps-is-infected\">If one of the system apps is infected<\/h3>\n<p>Unfortunately, as in the previous case, it is not possible to remove such an app from the device because it is located in the system partition. If you encounter the Keenadu loader in a system app, our recommendations are:<\/p>\n<ol>\n<li>Find a replacement for the app, if applicable. For example, if the launcher app is infected, you can download any alternative that does not contain malware. If no alternatives exist for the app \u2013 for example, if the face recognition service is infected \u2013 we recommend avoiding the use of that specific functionality whenever possible.<\/li>\n<li>Disable the infected app using ADB if an alternative has been found or you don\u2019t really need it. This can be done with the command <code>adb shell pm disable --user 0 %PACKAGE%<\/code>.<\/li>\n<\/ol>\n<h3 id=\"if-an-infected-app-has-been-installed-on-the-device\">If an infected app has been installed on the device<\/h3>\n<p>This is one of the simplest cases of infection. If a security solution has detected an app infected with Keenadu on your device, simply uninstall it following the instructions the solution provides.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Developers of pre-installed backdoors in Android device firmware have always stood out for their high level of expertise. This is still true for Keenadu: the creators of the malware have a deep understanding of the Android architecture, the app startup process, and the core security principles of the operating system. During the investigation, we were surprised by the scope of the Keenadu campaigns: beyond the primary backdoor in firmware, its modules were found in system apps and even in apps from Google Play. This places the Trojan on the same scale as threats like Triada or BADBOX. The emergence of a new pre-installed backdoor of this magnitude indicates that this category of malware is a distinct market with significant competition.<\/p>\n<p>Keenadu is a large-scale, complex malware platform that provides attackers with unrestricted control over the victim\u2019s device. Although we have currently shown that the backdoor is used primarily for various types of ad fraud, we do not rule out that in the future, the malware may follow in Triada\u2019s footsteps and begin stealing credentials.<\/p>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p>Additional IoCs, technical details and a YARA rule for detecting Keenadu activity are available to customers of our <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/services?icid=gl_sl_ti-lnk_sm-team_63057f3138f7f09f#threat-intelligence\" target=\"_blank\">Threat Intelligence Reporting service<\/a>. For more details, contact us at <a href=\"mailto:crimewareintel@kaspersky.com\">crimewareintel@kaspersky.com<\/a>.<\/p>\n<p><strong>Malicious libandroid_runtime.so libraries<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bccd56a6b6c9496ff1acd40628edd25e\/?icid=gl_sl_opentip-lnk_sm-team_e8f0cd0521bc9ad8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bccd56a6b6c9496ff1acd40628edd25e<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/c4c0e65a5c56038034555ec4a09d3a37\/?icid=gl_sl_opentip-lnk_sm-team_80a87e71f521e47d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">c4c0e65a5c56038034555ec4a09d3a37<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/cb9f86c02f756fb9afdb2fe1ad0184ee\/?icid=gl_sl_opentip-lnk_sm-team_f1b894fb1ed96e42&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">cb9f86c02f756fb9afdb2fe1ad0184ee<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f59ad0c8e47228b603efc0ff790d4a0c\/?icid=gl_sl_opentip-lnk_sm-team_7c0e470107685db0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f59ad0c8e47228b603efc0ff790d4a0c<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f9b740dd08df6c66009b27c618f1e086\/?icid=gl_sl_opentip-lnk_sm-team_28b96ed2ad9fc769&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f9b740dd08df6c66009b27c618f1e086<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/02c4c7209b82bbed19b962fb61ad2de3\/?icid=gl_sl_opentip-lnk_sm-team_a891214360d1195d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">02c4c7209b82bbed19b962fb61ad2de3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/185220652fbbc266d4fdf3e668c26e59\/?icid=gl_sl_opentip-lnk_sm-team_f7e3daaa267162d7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">185220652fbbc266d4fdf3e668c26e59<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/36db58957342024f9bc1cdecf2f163d6\/?icid=gl_sl_opentip-lnk_sm-team_e49df5308de8e2df&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">36db58957342024f9bc1cdecf2f163d6<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4964743c742bb899527017b8d06d4eaa\/?icid=gl_sl_opentip-lnk_sm-team_6e130c29add1c242&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">4964743c742bb899527017b8d06d4eaa<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/58f282540ab1bd5ccfb632ef0d273654\/?icid=gl_sl_opentip-lnk_sm-team_3bc6ccda7599965d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">58f282540ab1bd5ccfb632ef0d273654<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/59aee75ece46962c4eb09de78edaa3fa\/?icid=gl_sl_opentip-lnk_sm-team_1e75c959caf9ea2b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">59aee75ece46962c4eb09de78edaa3fa<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/8d493346cb84fbbfdb5187ae046ab8d3\/?icid=gl_sl_opentip-lnk_sm-team_ea2a60f4e9b36132&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">8d493346cb84fbbfdb5187ae046ab8d3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9d16a10031cddd222d26fcb5aa88a009\/?icid=gl_sl_opentip-lnk_sm-team_489057296c5c960b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9d16a10031cddd222d26fcb5aa88a009<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a191b683a9307276f0fc68a2a9253da1\/?icid=gl_sl_opentip-lnk_sm-team_6618cde43ad2293b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">a191b683a9307276f0fc68a2a9253da1<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/65f290dd99f9113592fba90ea10cb9b3\/?icid=gl_sl_opentip-lnk_sm-team_79e4d5ed14e92fde&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">65f290dd99f9113592fba90ea10cb9b3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/68990fbc668b3d2cfbefed874bb24711\/?icid=gl_sl_opentip-lnk_sm-team_d255c503815d9022&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">68990fbc668b3d2cfbefed874bb24711<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6d93fb8897bf94b62a56aca31961756a\/?icid=gl_sl_opentip-lnk_sm-team_7b98412e81078f26&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">6d93fb8897bf94b62a56aca31961756a<\/a><\/p>\n<p><strong>Keenadu payloads<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2922df6713f865c9cba3de1fe56849d7\/?icid=gl_sl_opentip-lnk_sm-team_c837060fd66909c3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">2922df6713f865c9cba3de1fe56849d7<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/3dae1f297098fa9d9d4ee0335f0aeed3\/?icid=gl_sl_opentip-lnk_sm-team_67ef29c9229e9d98&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">3dae1f297098fa9d9d4ee0335f0aeed3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/462a23bc22d06e5662d379b9011d89ff\/?icid=gl_sl_opentip-lnk_sm-team_bb4c52c5e8ed9559&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">462a23bc22d06e5662d379b9011d89ff<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/4c4ca7a2a25dbe15a4a39c11cfef2fb2\/?icid=gl_sl_opentip-lnk_sm-team_ff703801c9c8266c&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">4c4ca7a2a25dbe15a4a39c11cfef2fb2<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5048406d8d0affa80c18f8b1d6d76e21\/?icid=gl_sl_opentip-lnk_sm-team_f9de2a3b986dbbb5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5048406d8d0affa80c18f8b1d6d76e21<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/529632abf8246dfe555153de6ae2a9df\/?icid=gl_sl_opentip-lnk_sm-team_57a78ab2e33009e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">529632abf8246dfe555153de6ae2a9df<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7ceccea499cfd3f9f9981104fc05bcbd\/?icid=gl_sl_opentip-lnk_sm-team_4c5d5ee893705725&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7ceccea499cfd3f9f9981104fc05bcbd<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/912bc4f756f18049b241934f62bfb06c\/?icid=gl_sl_opentip-lnk_sm-team_026642fe69eaaa27&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">912bc4f756f18049b241934f62bfb06c<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/98ff5a3b5f2cdf2e8f58f96d70db2875\/?icid=gl_sl_opentip-lnk_sm-team_46ccef0e28633e3a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">98ff5a3b5f2cdf2e8f58f96d70db2875<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/aa5bf06f0cc5a8a3400e90570fb081b0\/?icid=gl_sl_opentip-lnk_sm-team_0b94e51aaa24b5db&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">aa5bf06f0cc5a8a3400e90570fb081b0<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ad60f46e724d88af6bcacb8c269ac3c1\/?icid=gl_sl_opentip-lnk_sm-team_e08c0ec08d0996e7&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ad60f46e724d88af6bcacb8c269ac3c1<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dc3d454a7edb683bec75a6a1e28a4877\/?icid=gl_sl_opentip-lnk_sm-team_4e9e4fe18ca7b5c0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dc3d454a7edb683bec75a6a1e28a4877<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/f0184f6955479d631ea4b1ea0f38a35d\/?icid=gl_sl_opentip-lnk_sm-team_a5cd2a9b10963e59&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">f0184f6955479d631ea4b1ea0f38a35d<\/a><\/p>\n<p><strong>System applications infected with Keenadu loader<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/07546413bdcb0e28eadead4e2b0db59d\/?icid=gl_sl_opentip-lnk_sm-team_9c2fc12f77ebeff0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">07546413bdcb0e28eadead4e2b0db59d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0c1f61eeebc4176d533b4fc0a36b9d61\/?icid=gl_sl_opentip-lnk_sm-team_f09d7c951098b832&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0c1f61eeebc4176d533b4fc0a36b9d61<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/10d8e8765adb1cbe485cb7d7f4df21e4\/?icid=gl_sl_opentip-lnk_sm-team_059de8ffacf793f5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">10d8e8765adb1cbe485cb7d7f4df21e4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/11eaf02f41b9c93e9b3189aa39059419\/?icid=gl_sl_opentip-lnk_sm-team_8727427e8dbc4069&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">11eaf02f41b9c93e9b3189aa39059419<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/19df24591b3d76ad3d0a6f548e608a43\/?icid=gl_sl_opentip-lnk_sm-team_905cede2c8c9f338&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">19df24591b3d76ad3d0a6f548e608a43<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1bfb3edb394d7c018e06ed31c7eea937\/?icid=gl_sl_opentip-lnk_sm-team_fcd796d0475f3ef5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1bfb3edb394d7c018e06ed31c7eea937<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1c52e14095f23132719145cf24a2f9dc\/?icid=gl_sl_opentip-lnk_sm-team_7b8658c14a4a7ea2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1c52e14095f23132719145cf24a2f9dc<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/21846f602bcabccb00de35d994f153c9\/?icid=gl_sl_opentip-lnk_sm-team_7ba8fa06479d82a4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">21846f602bcabccb00de35d994f153c9<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2419583128d7c75e9f0627614c2aa73f\/?icid=gl_sl_opentip-lnk_sm-team_0641e3b9de91f794&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">2419583128d7c75e9f0627614c2aa73f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/28e6936302f2d290c2fec63ca647f8a6\/?icid=gl_sl_opentip-lnk_sm-team_7cbbf9c7985f0ac3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">28e6936302f2d290c2fec63ca647f8a6<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/382764921919868d810a5cf0391ea193\/?icid=gl_sl_opentip-lnk_sm-team_d6610dd283691abf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">382764921919868d810a5cf0391ea193<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/45bf58973111e00e378ee9b7b43b7d2d\/?icid=gl_sl_opentip-lnk_sm-team_d1393738a5cb3729&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">45bf58973111e00e378ee9b7b43b7d2d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/56036c2490e63a3e55df4558f7ecf893\/?icid=gl_sl_opentip-lnk_sm-team_a7e39417a80c7b81&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">56036c2490e63a3e55df4558f7ecf893<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/64947d3a929e1bb860bf748a15dba57c\/?icid=gl_sl_opentip-lnk_sm-team_03d5fe40f13f44db&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">64947d3a929e1bb860bf748a15dba57c<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/69225f41dcae6ddb78a6aa6a3caa82e1\/?icid=gl_sl_opentip-lnk_sm-team_33b2540580c6a7a1&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">69225f41dcae6ddb78a6aa6a3caa82e1<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6df8284a4acee337078a6a62a8b65210\/?icid=gl_sl_opentip-lnk_sm-team_15945fa6b0c39f2e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">6df8284a4acee337078a6a62a8b65210<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6f6e14b4449c0518258beb5a40ad7203\/?icid=gl_sl_opentip-lnk_sm-team_93910e61392e871b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">6f6e14b4449c0518258beb5a40ad7203<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7882796fdae0043153aa75576e5d0b35\/?icid=gl_sl_opentip-lnk_sm-team_4dfb020b07bb0017&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7882796fdae0043153aa75576e5d0b35<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7c3e70937da7721dd1243638b467cff1\/?icid=gl_sl_opentip-lnk_sm-team_ef1ebb92139fcb40&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7c3e70937da7721dd1243638b467cff1<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9ddd621daab4c4bc811b7c1990d7e9ea\/?icid=gl_sl_opentip-lnk_sm-team_e92fbe1f7012a746&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9ddd621daab4c4bc811b7c1990d7e9ea<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a0f775dd99108cb3b76953e25f5cdae4\/?icid=gl_sl_opentip-lnk_sm-team_61b6a939874b2fdd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">a0f775dd99108cb3b76953e25f5cdae4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b841debc5307afc8a4592ea60d64de14\/?icid=gl_sl_opentip-lnk_sm-team_b49e0cbecf8f60e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">b841debc5307afc8a4592ea60d64de14<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/c57de69b401eb58c0aad786531c02c28\/?icid=gl_sl_opentip-lnk_sm-team_a91e3ff895997c7f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">c57de69b401eb58c0aad786531c02c28<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ca59e49878bcf2c72b99d15c98323bcd\/?icid=gl_sl_opentip-lnk_sm-team_996dc866685718f6&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ca59e49878bcf2c72b99d15c98323bcd<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d07eb2db2621c425bda0f046b736e372\/?icid=gl_sl_opentip-lnk_sm-team_0305b0df510b0276&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d07eb2db2621c425bda0f046b736e372<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d4be9b2b73e565b1181118cb7f44a102\/?icid=gl_sl_opentip-lnk_sm-team_2402092c48d6f33b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d4be9b2b73e565b1181118cb7f44a102<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d9aecc9d4bf1d4b39aa551f3a1bcc6b7\/?icid=gl_sl_opentip-lnk_sm-team_7574e76207d9e413&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d9aecc9d4bf1d4b39aa551f3a1bcc6b7<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/e9bed47953986f90e814ed5ed25b010c\/?icid=gl_sl_opentip-lnk_sm-team_63609339636f9658&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">e9bed47953986f90e814ed5ed25b010c<\/a><\/p>\n<p><strong>Applications infected with Nova clicker<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/0bc94bc4bc4d69705e4f08aaf0e976b3\/?icid=gl_sl_opentip-lnk_sm-team_6d115a1781815fab&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">0bc94bc4bc4d69705e4f08aaf0e976b3<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/1276480838340dcbc699d1f32f30a5e9\/?icid=gl_sl_opentip-lnk_sm-team_ac2b3819879936c8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">1276480838340dcbc699d1f32f30a5e9<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/15fb99660dbd52d66f074eaa4cf1366d\/?icid=gl_sl_opentip-lnk_sm-team_3808e94a0de4a44d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">15fb99660dbd52d66f074eaa4cf1366d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/2dca15e9e83bca37817f46b24b00d197\/?icid=gl_sl_opentip-lnk_sm-team_36115775634c6663&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">2dca15e9e83bca37817f46b24b00d197<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/350313656502388947c7cbcd08dc5a95\/?icid=gl_sl_opentip-lnk_sm-team_ebbd975f1a5dc52b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">350313656502388947c7cbcd08dc5a95<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/3e36ffda0a946009cb9059b69c6a6f0d\/?icid=gl_sl_opentip-lnk_sm-team_6f76bb68c9522b0e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">3e36ffda0a946009cb9059b69c6a6f0d<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5b0726d66422f76d8ba4fbb9765c68f6\/?icid=gl_sl_opentip-lnk_sm-team_8ae99815c8efbca9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5b0726d66422f76d8ba4fbb9765c68f6<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/68b64bf1dea3eb314ce273923b8df510\/?icid=gl_sl_opentip-lnk_sm-team_1d8dd73e52574ee4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">68b64bf1dea3eb314ce273923b8df510<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/9195454da9e2cb22a3d58dbbf7982be8\/?icid=gl_sl_opentip-lnk_sm-team_e078f555dcd714f9&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">9195454da9e2cb22a3d58dbbf7982be8<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/a4a6ff86413b3b2a893627c4cff34399\/?icid=gl_sl_opentip-lnk_sm-team_331d6a1a1a400bbf&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">a4a6ff86413b3b2a893627c4cff34399<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/b163fa76bde53cd80d727d88b7b1d94f\/?icid=gl_sl_opentip-lnk_sm-team_bfa41265dde108ba&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">b163fa76bde53cd80d727d88b7b1d94f<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ba0a349f177ffb3e398f8c780d911580\/?icid=gl_sl_opentip-lnk_sm-team_c73946ee4475b38d&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ba0a349f177ffb3e398f8c780d911580<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/bba23f4b66a0e07f837f2832a8cd3bd4\/?icid=gl_sl_opentip-lnk_sm-team_9c3b47699fde4c80&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">bba23f4b66a0e07f837f2832a8cd3bd4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/d6ebc5526e957866c02c938fc01349ee\/?icid=gl_sl_opentip-lnk_sm-team_a56056d549081d60&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">d6ebc5526e957866c02c938fc01349ee<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ec7ab99beb846eec4ecee232ac0b3246\/?icid=gl_sl_opentip-lnk_sm-team_886b5714311cf20e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ec7ab99beb846eec4ecee232ac0b3246<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ef119626a3b07f46386e65de312cf151\/?icid=gl_sl_opentip-lnk_sm-team_3142445db083a5f5&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ef119626a3b07f46386e65de312cf151<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fcaeadbee39fddc907a3ae0315d86178\/?icid=gl_sl_opentip-lnk_sm-team_a8fbec7c56de8870&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fcaeadbee39fddc907a3ae0315d86178<\/a><\/p>\n<p><strong>Payload CDN<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ubkt1x.oss-us-west-1.aliyuncs.com\/?icid=gl_sl_opentip-lnk_sm-team_b7a1742a8a834c22&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ubkt1x.oss-us-west-1.aliyuncs[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/m-file-us.oss-us-west-1.aliyuncs.com\/?icid=gl_sl_opentip-lnk_sm-team_ebeed7657d5d7c07&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">m-file-us.oss-us-west-1.aliyuncs[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pkg-czu.istaticfiles.com\/?icid=gl_sl_opentip-lnk_sm-team_11ae191c94ed5212&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pkg-czu.istaticfiles[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/pkgu.istaticfiles.com\/?icid=gl_sl_opentip-lnk_sm-team_d3a475343b46e8af&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">pkgu.istaticfiles[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/app-download.cn-wlcb.ufileos.com\/?icid=gl_sl_opentip-lnk_sm-team_adf49b6aec75cddc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">app-download.cn-wlcb.ufileos[.]com<\/a><\/p>\n<p><strong>C2 servers<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/110.34.191.81\/?icid=gl_sl_opentip-lnk_sm-team_af39fb55db37fb65&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">110.34.191[.]81<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/110.34.191.82\/?icid=gl_sl_opentip-lnk_sm-team_010d1e35d1f8f2a0&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">110.34.191[.]82<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/67.198.232.4\/?icid=gl_sl_opentip-lnk_sm-team_9fdbcaa10e2382a2&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">67.198.232[.]4<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/67.198.232.187\/?icid=gl_sl_opentip-lnk_sm-team_830a5113c1e45292&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">67.198.232[.]187<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fbsimg.com\/?icid=gl_sl_opentip-lnk_sm-team_625d1c141b4d317a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fbsimg[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/tmgstatic.com\/?icid=gl_sl_opentip-lnk_sm-team_e676faf2d22873f8&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">tmgstatic[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gbugreport.com\/?icid=gl_sl_opentip-lnk_sm-team_863c6625c2d63f59&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gbugreport[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/aifacecloud.com\/?icid=gl_sl_opentip-lnk_sm-team_5e6daa7c36b0e916&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">aifacecloud[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/goaimb.com\/?icid=gl_sl_opentip-lnk_sm-team_ea77181382dcb22e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">goaimb[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/proczone.com\/?icid=gl_sl_opentip-lnk_sm-team_8b40d84e766c543b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">proczone[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gvvt1.com\/?icid=gl_sl_opentip-lnk_sm-team_a13ca16738036c76&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gvvt1[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/dllpgd.click\/?icid=gl_sl_opentip-lnk_sm-team_2ef018504c99b8fe&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">dllpgd[.]click<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/fbgraph.com\/?icid=gl_sl_opentip-lnk_sm-team_e9b84e8527aec732&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">fbgraph[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/newsroomlabss.com\/?icid=gl_sl_opentip-lnk_sm-team_7506010a653d848f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">newsroomlabss[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/sliidee.com\/?icid=gl_sl_opentip-lnk_sm-team_70cc0163c452cf9a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">sliidee[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/keepgo123.com\/?icid=gl_sl_opentip-lnk_sm-team_3e44efd4de0d0e38&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">keepgo123[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gsonx.com\/?icid=gl_sl_opentip-lnk_sm-team_9dfe669838082f0f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gsonx[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gmsstatic.com\/?icid=gl_sl_opentip-lnk_sm-team_64b8d14fd2807132&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gmsstatic[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/ytimg2.com\/?icid=gl_sl_opentip-lnk_sm-team_1ef0f72440044007&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">ytimg2[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/glogstatic.com\/?icid=gl_sl_opentip-lnk_sm-team_a84d5bda06c7335e&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">glogstatic[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/gstatic2.com\/?icid=gl_sl_opentip-lnk_sm-team_3f6efdb0fe33b229&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">gstatic2[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/uscelluliar.com\/?icid=gl_sl_opentip-lnk_sm-team_9030f35f84ab064b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">uscelluliar[.]com<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/playstations.click\/?icid=gl_sl_opentip-lnk_sm-team_d611c0db530a7fcd&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">playstations[.]click<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote \u2013 the parent process for all Android apps \u2013 to infect any app on the device. This [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[663,668,661,90,662,667,99,232,233,664,670,666,236,665,669],"tags":[91],"class_list":["post-1343","post","type-post","status-publish","format-standard","hentry","category-adware","category-badbox","category-botnets","category-cybersecurity","category-google-android","category-keenadu","category-malware","category-malware-descriptions","category-malware-technologies","category-mobile-malware","category-mobile-threats","category-triada","category-trojan","category-trojan-clicker","category-vo1d","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote \u2013 the parent process for all Android apps \u2013 to infect any app on the device. This [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-17T09:12:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"35 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets\",\"datePublished\":\"2026-02-17T09:12:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\"},\"wordCount\":6730,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Adware\",\"BADBOX\",\"Botnets\",\"Cybersecurity\",\"Google Android\",\"Keenadu\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"Mobile Malware\",\"Mobile threats\",\"Triada\",\"Trojan\",\"Trojan Clicker\",\"Vo1d\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\",\"name\":\"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\",\"datePublished\":\"2026-02-17T09:12:14+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/","og_locale":"en_US","og_type":"article","og_title":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited","og_description":"In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote \u2013 the parent process for all Android apps \u2013 to infect any app on the device. This [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-02-17T09:12:14+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"35 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets","datePublished":"2026-02-17T09:12:14+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/"},"wordCount":6730,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["Adware","BADBOX","Botnets","Cybersecurity","Google Android","Keenadu","Malware","Malware descriptions","Malware Technologies","Mobile Malware","Mobile threats","Triada","Trojan","Trojan Clicker","Vo1d"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/","name":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg","datePublished":"2026-02-17T09:12:14+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/17072352\/SL-Keenadu-featured-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/17\/divide-and-conquer-how-the-new-keenadu-backdoor-exposed-links-between-major-android-botnets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1343"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1343\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}