• In April 2025, we reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. • The malware was deployed to the system partitions and hooked into Zygote - the parent process for all Android apps - to infect any app on the device. • This allowed the Trojan to exfiltrate credentials from messaging apps and social media platforms, among other things. • This discovery prompted us to dive deeper, looking for other Android firmware-level threats. • Our investigation uncovered a new backdoor, dubbed Keenadu, which mirrored Triada’s behavior by embedding itself into the firmware to compromise every app launched on the device. • Keenadu proved to have a significant footprint; following its initial detection, we saw a surge in support requests from our users seeking further information about the threat.

Article Summaries:

  • In April 2025, security researchers uncovered a new firmware‑level Android backdoor, dubbed Keenadu, that mirrors the Triada malware’s tactics. Keenadu is embedded during the firmware build by linking a malicious static library into libandroid_runtime.so, then injects itself into the Zygote process to compromise every launched app. The loader can remotely control devices, hijack browser search engines, monetize app installs, and manipulate ad elements. Investigations revealed Keenadu’s presence in OTA updates, critical system utilities, and even in apps from official stores and third‑party repositories. The team linked Keenadu to major botnets-Triada, BADBOX, Vo1d-highlighting a broader threat network.

Sources: