Supply Chain Attack Embeds Malware in Android Devices
Summary
Security researchers at Kaspersky have discovered a firmware-level Android backdoor they call “Keenadu” that arrives preinstalled on devices from multiple (mostly smaller) vendors as a result of a supply‑chain compromise. Because the malicious component is integrated into the firmware and used by Android’s Zygote process, Keenadu is injected into every app on an infected device and can run stealth payloads that hijack browser searches, commit ad fraud, intercept app installs, and more.
Kaspersky estimates roughly 13,000 infected devices (highest counts in Russia, then Japan, Germany, Brazil and the Netherlands). Operators are currently using Keenadu for large-scale ad fraud, but the malware can grant full remote control of affected devices. The investigation also reveals links between Keenadu and major Android botnets such as BADBOX, Triada and Vo1d. Kaspersky has published indicators of compromise and remediation guidance: replace compromised firmware, uninstall or disable infected system apps, and stop using devices that arrived preloaded with the backdoor until firmware is cleaned or replaced.
Key Points
- Keenadu is a firmware‑level backdoor introduced via a supply‑chain compromise of a firmware dependency.
- Integration with Android’s Zygote process causes the malware to be copied into every app on infected devices.
- About 13,000 devices have been flagged; most affected users are in Russia, followed by Japan, Germany, Brazil and the Netherlands.
- Keenadu acts as a multistage loader downloading modules for ad fraud, search hijacking, cart manipulation on shopping sites, and intercepting app installs.
- Currently used for ad‑fraud (automated clicks, fake installs), but it can be repurposed for full remote access and data theft.
- Infections arrive both preloaded on devices and via compromised over‑the‑air updates or trojanised system apps and modified store apps.
- Kaspersky found operational links between Keenadu and major Android botnets (BADBOX, Triada, Vo1d), indicating coordination across malware ecosystems.
- Remediation: replace firmware if the device was shipped with Keenadu; otherwise uninstall or disable infected system apps and remove tainted apps from third‑party stores. Kaspersky provides IoCs for detection.
Context and relevance
Firmware and supply‑chain attacks are among the hardest to detect and remediate because they can be baked into devices before users ever power them on. Keenadu’s use of the Zygote process mirrors previous high‑profile Android firmware threats and demonstrates that ad‑fraud is often just the low‑risk first use case — the same foothold can be escalated to espionage, banking theft or full device takeover. The revealed connections to BADBOX, Triada and Vo1d suggest a consolidating mobile threat ecosystem where infrastructure and payloads are shared, increasing scale and sophistication. Organisations issuing devices to employees, resellers and consumers should treat firmware integrity and vendor supply‑chain security as top priorities.
For defenders: prioritise inventorying device vendors, validating firmware images, applying vendor patches only from trusted channels, and scanning for the IoCs Kaspersky published. For users: if a device arrived with suspicious firmware, stop using it and contact the vendor; where infections sit in system apps, seek clean replacements or disable the app; uninstall any app you obtained from a third‑party store that looks suspicious.
Why should I read this?
Short answer: because this isn’t just another dodgy app — it’s malware built into device firmware and copied into every app via Zygote. If you manage phones for staff, buy devices in bulk, or install apps from smaller vendors, this matters right now. We’ve stripped out the noise: Keenadu is already live on thousands of phones, tied to big‑name botnet infrastructure, and it’s trivially repurposable from ad‑fraud to full device takeover. Read the details so you can check your fleet and patch or quarantine anything risky.