Keenadu Android backdoor embedded in firmware and app delivery paths
Malware Activity
Summary
Hide ▲
Show ▼
The Keenadu Android backdoor was found embedded in firmware from multiple device brands, putting infected devices and their installed apps at risk of full compromise. The malware also spread through compromised OTA images, system apps, modified apps, and even some Google Play listings, widening its reach. By February 2026, researchers had confirmed 13,000 infected devices across Russia, Japan, Germany, Brazil, and the Netherlands. The activity matters because the firmware-based variant is deeply embedded and can be difficult to remove without replacing the firmware.
Related Happenings
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware Activity
H score22
First: 05.06.2026 17:53
Last: 05.06.2026 17:53
Sources 1
About this happening:
The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
Asin Android spyware distribution through fake utility, PDF, and war-map apps
Malware ActivityAbout this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
H score10
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
H score11
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
H score34
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Timeline
-
17.02.2026 16:05 2 articles · 4mo ago
Keenadu firmware sample dated August 18, 2023
Technical Analysis UpdateOn August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 3 articles · 4mo ago
Kaspersky publishes Keenadu analysis and infection count
Technical Analysis UpdateOn 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 2 articles · 4mo ago
Keenadu firmware sample dated August 18, 2023
Technical Analysis UpdateOn August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 3 articles · 4mo ago
Kaspersky publishes Keenadu analysis and infection count
Technical Analysis UpdateOn 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41