New backdoor found in Android tablets targeting users in Russia, Germany and Japan

Summary

Researchers at Kaspersky uncovered a previously undocumented firmware-level Android backdoor called Keenadu that infects tablets before they reach consumers. Embedded in device firmware, Keenadu can load into every app, giving attackers near-unrestricted control. Kaspersky recorded over 13,700 detections worldwide, with the highest counts in Russia, Japan, Germany, Brazil and the Netherlands.

The campaign primarily facilitated advertising fraud: hijacking browser search engines, monitoring app installations, interacting with advertising components to generate fraudulent revenue, and in some reports adding items to marketplace shopping carts without user consent. The backdoor was found in firmware from multiple manufacturers (Alldocube named), and some firmware updates remained infected after public disclosure. Variants ranged from firmware-embedded modules to apps (including a facial-recognition unlock app) and apps distributed through official and third-party stores.

Researchers believe the infection was introduced during the firmware build stage — a likely supply-chain compromise — and noted the malware avoids Chinese locales and devices without Google Play. Because Keenadu lives at firmware level it cannot be removed by standard Android security tools; Kaspersky recommends flashing clean firmware from trusted sources or replacing affected devices.

Key Points

Keenadu is a firmware-level Android backdoor discovered by Kaspersky.
More than 13,700 detections globally; highest in Russia, Japan, Germany, Brazil and the Netherlands.
Used mainly for advertising fraud: hijacks searches, monitors installs and manipulates ad components; some devices added items to shopping carts without users’ knowledge.
Found embedded in tablet firmware from multiple vendors (Alldocube confirmed); some updates stayed infected after disclosure.
Multiple variants exist: deeply embedded firmware modules, apps (including facial-recognition unlock apps) and apps on official/third-party stores.
Likely introduced during firmware builds — indicating a supply-chain compromise; vendors may have been unaware.
Designed to avoid Chinese-language/timezone devices and devices lacking Google Play Services.
Cannot be removed by standard Android security tools; recommended fixes are flashing clean firmware from trusted sources or replacing the device.

Context and Relevance

Firmware-level threats are among the hardest to detect and remove because they sit below the operating system. Keenadu echoes the 2025 Triada firmware campaign and underlines growing supply-chain risks for Android hardware, particularly lower-cost tablets whose firmware provenance can be unclear. This is relevant to organisations managing device fleets, procurement teams, and consumers buying devices from lesser-known vendors.

Why should I read this?

Quick and blunt: if you use cheap Android tablets, this could already be on them before you open the box. Keenadu survives normal antivirus, screws with ads and purchases, and needs firmware reflashing or device replacement to fix — so it pays to know the details now rather than finding out the hard way later.

Source

Source: https://therecord.media/new-backdoor-found-in-android-russia-japan-brazil