Find notable cyber news and cases, enriched with sources, timelines, and signals.

Keenadu Android backdoor embedded in firmware and app delivery paths

Malware Activity
First reported
Last updated
Happening score
H score 27
2 unique sources, 2 articles

Summary

Hide ▲

The Keenadu Android backdoor was found embedded in firmware from multiple device brands, putting infected devices and their installed apps at risk of full compromise. The malware also spread through compromised OTA images, system apps, modified apps, and even some Google Play listings, widening its reach. By February 2026, researchers had confirmed 13,000 infected devices across Russia, Japan, Germany, Brazil, and the Netherlands. The activity matters because the firmware-based variant is deeply embedded and can be difficult to remove without replacing the firmware.

Related Happenings

Asin Android spyware distribution through fake utility, PDF, and war-map apps

Malware Activity
H score22 First: 05.06.2026 17:53 Last: 05.06.2026 17:53 Sources 1

About this happening: The **Asin** Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting **Arabic-speaking users** at risk of covert surveillance on **Andro...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
H score10 First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Android Intrusion Logging forensic logging rollout for spyware investigations

Security Tool/Service
H score11 First: 13.05.2026 09:55 Last: 13.05.2026 09:55 Sources 1

About this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
H score34 First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Timeline

  1. 17.02.2026 16:05 2 articles · 4mo ago

    Keenadu firmware sample dated August 18, 2023

    Technical Analysis Update

    On August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.

    Show sources
  2. 17.02.2026 16:05 3 articles · 4mo ago

    Kaspersky publishes Keenadu analysis and infection count

    Technical Analysis Update

    On 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.

    Show sources
  3. 17.02.2026 16:05 2 articles · 4mo ago

    Keenadu firmware sample dated August 18, 2023

    Technical Analysis Update

    On August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.

    Show sources
  4. 17.02.2026 16:05 3 articles · 4mo ago

    Kaspersky publishes Keenadu analysis and infection count

    Technical Analysis Update

    On 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.

    Show sources