According to new research from Kaspersky, a new Android backdoor that is deeply ingrained in the firmware of the device can silently collect data and remotely manipulate its behavior This article explores known keenadu firmware. . According to the Russian cybersecurity vendor, the compromise happened during the firmware build phase and the backdoor, known as Keenadu, was found in the firmware of devices connected to multiple brands, including Alldocube.

Since August 18, 2023, Keenadu has been found in the firmware of the Alldocube iPlay 50 mini Pro. In every instance, the firmware files contain legitimate digital signatures, and the backdoor is integrated into the tablet firmware. The other vendors' names were kept a secret. The payload's MD5 hash, target app package names, target process names, and other metadata are all included in each object along with a download link.

Notably, Amazon AWS was the CDN provider of choice for the attackers.Below is a list of some of the malicious modules that have been found: Keenadu loader, which targets well-known online retailers like Amazon, Shein, and Temu in order to deliver unknown payloads. It is believed, nevertheless, that they enable the addition of goods to the shopping carts of the apps without the victim's awareness. In order to deliver payloads that can interact with advertising elements on websites that specialize in gaming, recipes, and news, clicker loaders are injected into YouTube, Facebook, Google Digital Wellbeing, and Android System launchers.

The Google Chrome module aims to take advantage of the Chrome browser in order to divert search queries to an alternative search engine.

"The malware developers have a thorough understanding of the Android architecture, the app startup procedure, and the fundamental security principles of the operating system, and this is still true for Keenadu." "Keenadu is a sophisticated, extensive malware platform that gives attackers complete control over the victim's device. We do not rule out the possibility that the malware will eventually start stealing credentials, even though we have demonstrated that the backdoor is primarily used for different forms of ad fraud.