A number of Android tablets were exposed to have the firmware-level backdoor "Keenadu", and the supply chain was suspected to have been compromised​

According to security vendor Kaspersky, while tracking the Trojan Triada, which was previously found to be pre-installed in low-priced Android devices, it further discovered a firmware-level backdoor called "Keenadu" that has infected a large number of devices worldwide and is designed to run deep into the bottom layer of the Android system without the user's knowledge.

Kaspersky said that Keenadu appears in the firmware of many (mostly unnamed) brands of Android tablets, and its implantation method is similar to Triada: during the firmware binary construction phase, the malicious static library is quietly linked with the system library libandroid_runtime.so, thus completing the "pre-embedded" before the device leaves the factory. After the device is started, the malicious library will be injected into the Zygote process; since Zygote is the key "root" process in the Android system to incubate subsequent system and application processes, the backdoor can run along with various applications launched by the user or the system, achieving deeper and wider persistence.

The backdoor adopts a multi-stage architecture, allowing the operator to remotely control the infected device with "almost unrestricted" control, and can deliver different malicious payloads to perform multiple tasks. Among the observed capabilities, the payload can be tampered with browser search engines, monetize by promoting new application installations, conduct more covert advertising interactions, etc. At the same time, researchers also found that its traces have appeared in applications distributed through Google Play, Xiaomi GetApps, and third-party application warehouses.

As far as the source is concerned, Kaspersky stated that it is currently unable to determine the initial release point. The more likely scenario is that attackers carried out intrusions at key stages of the supply chain of multiple Android tablets, allowing the malicious library to be written into the firmware before the products reached the market. The investigation also traced clues back to tablet manufacturer Alldocube: the manufacturer would publicly release firmware archives for security review, and Kaspersky used this information to further conduct correlation analysis.

According to Kaspersky telemetry data, a total of 13,715 users worldwide are affected by Keenadu and one of its malicious modules. Countries with concentrated infections include Russia, Japan, Germany, Brazil and the Netherlands. Kaspersky has currently issued an early warning to relevant manufacturers and recommended that users install Android security updates as soon as possible after manufacturers push patches; the incident has once again highlighted that attackers are more frequently taking advantage of the complexity of Android's core architecture and security mechanisms to move malicious capabilities to system levels that are more difficult to detect and remove.