Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates

By Azhar Khan
Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates

Security researchers at Kaspersky have uncovered a sophisticated Android firmware backdoor dubbed “Keenadu” that is embedded directly into device firmware and delivered via signed over-the-air (OTA) updates. The discovery highlights a serious supply chain security risk affecting Android tablets worldwide.

Unlike typical mobile malware, Keenadu operates at the firmware level, making it significantly more persistent and difficult to remove.

Injected into Core Android Runtime

Keenadu is injected into libandroid_runtime.so, a critical system library, and executes within the Android Zygote process. Because Zygote is responsible for launching application processes, code embedded at this level gains deep system privileges and wide operational visibility.

This design enables the malware to operate stealthily across the system without relying on traditional app-based infection vectors.

Client-Server Architecture

The backdoor uses a modular client-server architecture composed of AKServer and AKClient components. This framework allows attackers to dynamically load malicious modules onto infected devices.

Through this architecture, operators can:

  • Harvest sensitive user data
  • Execute remote commands
  • Deploy additional payloads
  • Maintain long-term persistence

Delivered via Signed OTA Updates

One of the most concerning aspects of Keenadu is its delivery mechanism. The malicious code was embedded within officially signed firmware updates, meaning devices received the backdoor through what appeared to be legitimate OTA updates.

This method bypasses traditional security checks and user suspicion, as firmware updates are typically trusted and automatically installed.

Observed in Alldocube Devices

Kaspersky researchers identified the backdoor in firmware associated with tablets from Alldocube and at least one other undisclosed vendor. The infection appears to stem from a compromised firmware supply chain rather than user action.

More than 13,700 users worldwide have been impacted based on telemetry data.

Impact and Risks

Firmware-level backdoors pose a particularly severe threat because they survive factory resets and may not be detectable by conventional mobile security tools. Attackers with control at this level can access user data, intercept communications, and potentially pivot into connected networks.

Such compromises are especially concerning in enterprise environments where tablets are used for business operations.

Supply Chain Security Concerns

The Keenadu discovery underscores ongoing risks in the Android device supply chain, particularly when third-party vendors or firmware integrators are involved. If malicious code is introduced before devices reach consumers, mitigation becomes significantly more complex.

Organizations deploying Android tablets should verify firmware integrity, monitor vendor advisories, and apply trusted firmware updates only from validated sources.

A Growing Firmware Threat Landscape

Keenadu represents a shift toward deeper, more persistent mobile threats. As attackers increasingly target firmware and system-level components, mobile security strategies must evolve beyond app-layer protections.

Supply chain transparency and firmware auditing will likely become critical pillars of mobile device security moving forward.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.