Researchers have discovered new malware that infects every app on compromised systems and gives attackers virtually unfettered remote access to them This article explores kaspersky discovered malware. . The malware is embedded in the firmware of Android devices from various vendors.

Kaspersky discovered the malware, known as "Keenadu," while searching for Android-firmware level threats such as the Triada remote access Trojan (RAT), which steals data from communication and banking apps. Similar to Triada, Keenadu was discovered by Kaspersky to be pre-installed on Android devices from a number of manufacturers, the majority of which were small. The company has informed each of these manufacturers of the compromise. ## A Danger at the Firmware Level According to the security vendor, "a supply chain attack led to Keenadu being incorporated into the firmware of Android devices."

"A malicious dependency was introduced into the source code as a result of a compromise in one step of the firmware supply chain." As was the case with Triada, Android's "Zygote" master process uses this compromised file, which means that the malware is automatically copied into every application that runs on a compromised device. According to Kaspersky, "the vendors might not have realized their devices were compromised before they were put on the market."

Related: A Predator Spyware Sample Shows 'Vendor-Controlled' C2 As of February, approximately 13,000 Android devices were infected with Keenadu, according to Kaspersky. Russia has the most impacted users, followed by Brazil, Germany, Japan, and the Netherlands.

In certain instances, the compromised software was distributed to users through standard over-the-air security updates, while in other cases, the compromised software was preloaded onto devices. The malware is particularly dangerous because its creators can spread it not only through weaponized firmware but also through modified versions of well-known apps available on official stores like Google Play and Xiaomi GetApps, as well as through system apps like launcher apps and facial recognition services. Keenadu functions as a multistage loader, downloading payloads to perform various tasks without the user's knowledge, such as adding items to shopping carts, committing advertising fraud, and hijacking browser searches.

Kaspersky discovered three modules: one that targets popular e-commerce sites like Amazon, Shein, and Temu; another that tracks every Google Chrome query; and a third that can intercept the installation of applications and send tracking links to advertising platforms that claim credit for those installs. Kaspersky claims that the malware's creators are currently using it only for ad fraud, which involves using compromised devices to click on ads covertly and earning money for each click. However, the company cautioned that the malware can also be used by the attackers to gain total remote control of the compromised devices.

Related: FBI Reports North Korean APT Attacks ## Associated with Other Significant Android Botnets?

Indicators of compromise have been made available by Kaspersky to assist impacted users in determining whether their devices are compromised. The only way to fix a device that may have had Keenadu preloaded at the firmware level is to completely replace the firmware. Kaspersky advised users to cease using the compromised device until that time.

When Keenadu appears in a system app on a device instead of the firmware, users should try to find a clean alternative. If not, Kaspersky advised them to completely disable the compromised application to stop it from operating. To lessen the risk, users who may have downloaded an infected app from a third-party store can easily uninstall it. Related: Malware Targets for "Landfall" Users of Samsung Galaxy