Keenadu Android backdoor embedded in firmware and app delivery paths
Malware Activity
Summary
Hide ▲
Show ▼
The Keenadu Android backdoor was found embedded in firmware from multiple device brands, putting infected devices and their installed apps at risk of full compromise. The malware also spread through compromised OTA images, system apps, modified apps, and even some Google Play listings, widening its reach. By February 2026, researchers had confirmed 13,000 infected devices across Russia, Japan, Germany, Brazil, and the Netherlands. The activity matters because the firmware-based variant is deeply embedded and can be difficult to remove without replacing the firmware.
Related Happenings
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/Service
First: 14.05.2026 16:30
Last: 14.05.2026 16:30
Sources 1
About this happening:
Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Google rolls out Android Intrusion Logging in Android Advanced Protection Mode
Security Tool/ServiceAbout this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/Service
First: 13.05.2026 09:55
Last: 13.05.2026 09:55
Sources 1
About this happening:
**Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
Android Intrusion Logging forensic logging rollout for spyware investigations
Security Tool/ServiceAbout this happening: **Android** is adding **Intrusion Logging**, an opt-in forensic feature in **Advanced Protection Mode** that preserves device and network activity for suspected spyware compromise...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
AVB Disc Soft hit by network compromise
Incident
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
**DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
AVB Disc Soft hit by network compromise
IncidentAbout this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
Latest development: 07.05.2026 12:30
Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.
Timeline
-
17.02.2026 16:05 2 articles · 3mo ago
Keenadu firmware sample dated August 18, 2023
Technical Analysis UpdateOn August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 3 articles · 3mo ago
Kaspersky publishes Keenadu analysis and infection count
Technical Analysis UpdateOn 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 2 articles · 3mo ago
Keenadu firmware sample dated August 18, 2023
Technical Analysis UpdateOn August 18, 2023, the malicious firmware on an Alldocube iPlay 50 mini Pro (T811M) tablet was dated, indicating that the firmware-integrated Keenadu variant was already embedded in an Android tablet from multiple makers and could persist at the firmware layer.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
-
17.02.2026 16:05 3 articles · 3mo ago
Kaspersky publishes Keenadu analysis and infection count
Technical Analysis UpdateOn 2026-02-17, Kaspersky published a detailed analysis of Keenadu, describing a sophisticated Android backdoor embedded in firmware from multiple device brands and also present in system apps, modified apps, and Google Play apps. The analysis said the firmware-based variant can compromise every app on the device, operate in the context of libandroid_runtime.so, and was associated with 13,000 confirmed infected devices in Russia, Japan, Germany, Brazil, and the Netherlands as of February 2026.
Show sources
- New Keenadu backdoor found in Android firmware, Google Play apps — www.bleepingcomputer.com — 17.02.2026 16:05
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41
- Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates — thehackernews.com — 17.02.2026 18:41