Android malware from Keenadu An advanced new Android backdoor that allows attackers to take remote control of victims' phones and tablets by infecting device firmware during the build process and propagating through Google Play apps This article explores android malware keenadu. . Their thorough analysis, which was published on February 16, 2026, shows how this threat mimics the Triada Trojan by infiltrating the Zygote process and jeopardizing all apps that are launched.

Triada's firmware compromise in fake Android devices, where it exfiltrated credentials via Zygote infection, was covered by Kaspersky in April 2025. Deeper investigation resulted in the discovery of Keenadu in firmware from companies such as Alldocube. During firmware compilation, the backdoor inserts libVndxUtils.a (MD5: ca98ae7ab25ce144927a46b7fee6bd21), a malicious static library, into libandroid_runtime.so.

Once deployed, usually through OTA updates, it creates a client-server architecture with AKServer in system_server and AKClient in apps, loads payloads via DexClassLoader into /data/dalvik-cache/, and decrypts them using RC4. Payloads and Infection Chain Infection Mechanics Keenadu's dropper in libandroid_runtime.Consequently, it decrypts and runs com.ak.test.Main by changing the println_native method to invoke __log_check_tag_count. After killing switches and avoiding Google, Sprint, and T-Mobile apps, it employs binder IPC for inter-process control.

While MainWorker queries C2 servers such as those decrypted from AES-128 (keys from MD5 of "ota.host.ba60d29da7fd4794b5c5f732916f7d5c"), AKServer broadcasts interfaces for permission grants/revokes, geolocation, and data exfiltration. According to the Kaspersky report, intercepted payloads target launchers (install monetization via session tracking), browsers (Chrome search hijacking via url_bar monitoring), and shopping apps (Amazon, SHEIN, Temu loaders for APKs).

Some backdoor execution flow modules, such as Nova/Phantom Clicker, use ML/WebRTC for ad fraud; others integrate with launchers or facial recognition (com.aiworks.faceidservice, MD5: d840a70f2610b78493c41b1a344b6893). Before being executed, payloads use AES decryption, MD5 checks, and DSA signatures. It is clear that the supply chain has been compromised because signed Alldocube firmwares (like the iPlay 50 mini Pro T811M from August 2023) have a backdoor, and source paths like D:\work\git\zh\os\ak-client expose developer artifacts.

Infections beyond Alldocube tablets are detected by Kaspersky Telemetry. standalone apps on Xiaomi and Google Play (such as smart camera software, which has over 300,000 downloads) GetApps uses services like com.arcsoft.closeli.service to embed modules like Nova Clicker.KucopdInitService. After being notified, Google took these down. Google Play Apps: Connectivity and Indicators Variants are identified by Kaspersky as HEUR:Backdoor.Android OS.Trojan-Downloader.AndroidOS.Keenadu., Trojan-Dropper, and Keenadu.

*AndroidOS.Gegu.

MD5 ca98ae7ab25ce144927a46b7fee6bd21 libVndxUtils.a malicious lib MD5 4c4ca7a2a25dbe15a4a39c11cfef2fb2 Keenadu loader module MD5 912bc4f756f18049b241934f62bfb06c Chrome hijacker MD5 f0184f6955479d631ea1b1ea0f38a35d Nova/Phantom clicker IP 67.198.232.4, 67.198.232.187 C2 resolutions Domain keepgo123.com, gsonx.com Early C2 domains Path /ak/api/pts/v4 C2 endpoint Keenadu uses payload drops, C2 overlaps (like zcnewy[. ]com), and shared code to connect to Triada, BADBOX, and Vo1d botnets. Triada shares credential stealers, while BADBOX deploys Keenadu loaders.

13,715 victims worldwide, with Brazil, Germany, Japan, and Russia having the highest numbers. Update the firmware if there are clean versions; disable compromised system apps using ADB (e.g., pm disable com.aiworks.faceidservice); remove sideloaded apps; and refrain from using the system until it has been patched. LinkedIn, X for daily cybersecurity updates, and vendor audits are required as a result of this threat, which highlights firmware supply chain risks. To have your stories featured, get in touch with us.