CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Keenadu Android Backdoor Discovered in Firmware and Google Play Apps

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A sophisticated Android malware called Keenadu has been discovered embedded in firmware from multiple device brands and distributed through various vectors, including Google Play apps. The malware provides attackers with unrestricted control over infected devices, enabling broad-range data theft and other malicious activities. As of February 2026, 13,715 devices have been confirmed infected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The malware's capabilities include compromising all installed applications, installing any apps from APK files, and monitoring user activities, including incognito browsing. Kaspersky researchers compare Keenadu to the Triada malware family, which was found in counterfeit Android devices last year. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, and is embedded within tablet firmware with valid digital signatures. The malware has also been found in smart home camera apps on Google Play with 300,000 downloads, which are no longer available.

Timeline

  1. 17.02.2026 16:05 2 articles · 9h ago

    Keenadu Backdoor Discovered in Android Firmware and Google Play Apps

    In February 2026, Kaspersky researchers discovered the Keenadu backdoor embedded in Android firmware and distributed through various vectors, including Google Play apps. The malware provides attackers with unrestricted control over infected devices, enabling broad-range data theft and other malicious activities. As of the discovery, 13,715 devices have been confirmed infected, primarily in Russia, Japan, Germany, Brazil, and the Netherlands. The malware's deep integration into firmware makes it difficult to remove, necessitating firmware replacement or device replacement. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023, and is embedded within tablet firmware with valid digital signatures. The malware has also been found in smart home camera apps on Google Play with 300,000 downloads, which are no longer available.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab

Malicious Android Apps with 19M Installs Removed from Google Play

Seventy-seven malicious Android apps, with over 19 million installs, were removed from Google Play. These apps delivered multiple malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps were discovered by Zscaler's ThreatLabs team and included adware, credential theft, and other malicious functionalities. The malware targeted various banking and cryptocurrency apps, expanding its scope to include Germany and South Korea. The apps used various evasion techniques, including malformed APK archives, runtime DES-based string decryption, and emulation detection. Users are advised to enable Play Protect and take additional steps to secure compromised accounts.

Open in new tab

Android spyware targeting Russian executives masquerades as FSB antivirus

New Android malware, dubbed Android.Backdoor.916.origin, targets Russian business executives by posing as antivirus software from the Russian Federal Security Services (FSB). The spyware can snoop on conversations, stream from the phone's camera, log user input, and exfiltrate communication data from messenger apps. It has been under continuous development since January 2025. The malware requests high-risk permissions upon installation and connects to a command and control (C2) server to execute various commands, including data exfiltration, screen streaming, and keylogging. It uses multiple hosting providers to enhance resilience. The malware lacks genuine security features and simulates fake detections to prevent removal.

Open in new tab