Firmware-level Android backdoor found on tablets from multiple manufacturers
A new Android backdoor embedded directly in device firmware can quietly take control of apps and harvest data, Kaspersky researchers found.
The malware, named Keenadu, was discovered during an investigation into earlier Android threats and appears to have been inserted during the firmware build process, not after devices reached users. 
How the backdoor works
The research team said they found the backdoor code in the firmware of Android-based tablets belonging to several brands.
“The infection occurred during the firmware build phase, where a malicious static library was linked with libandroid_runtime.so. Once active on the device, the malware injected itself into the Zygote process, similarly to [the Triada backdoor]. In several instances, the compromised firmware was delivered with an OTA update,” the researchers shared.
“A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim’s device remotely.”
Investigators intercepted modules downloaded by the backdoor and found they could redirect browser searches, track app installs for profit, and interact with advertising elements.
Some payloads were also discovered hidden inside apps distributed through third-party stores and even official app marketplaces (e.g., Google Play). 
How was the firmware compromised?
The researchers traced one infection path to publicly available firmware images for Alldocube iPlay 50 mini Pro tablets. Every version they checked, including releases issued after the vendor acknowledged malware reports, still contained the backdoor, they said.
All analyzed firmware files carried valid digital signatures, which suggests attackers did not simply tamper with updates. Instead, the researchers concluded it was highly probable that the Trojan was integrated into the firmware during the build phase. 
The evidence points to a supply-chain compromise. “One stage of the firmware supply chain was compromised, leading to the inclusion of a malicious dependency within the source code. Consequently, the vendors may have been unaware that their devices were infected prior to reaching the market,” they noted.
What to do?
The affected vendors have been notified and are likely working on pushing out clean firmware updates. Unfortunately, Kaspersky did not publicly identify the vendors (apart from Alldocube).
Users have been advised to check for software updates and implement them as soon as possible. Until then, the researchers recommend not using the infected devices.
The Keenadu malware has also been discovered in various system apps in the firmware of several devices, in trojanized versions of popular apps distributed largely via unofficial sources, and in various apps found in Xiaomi’s GetApps store.
Removing the system apps is impossible because they are located in the system partition, but they can be replaced or disabled (if not needed). Other types of apps can be uninstalled.
“According to our telemetry, 13,715 users worldwide have encountered Keenadu or its modules. Our security solutions recorded the highest number of users attacked by the malware in Russia, Japan, Germany, Brazil and the Netherlands,” the researchers shared.
Kaspersky linked the Keenadu threat to other major Android botnet families: Triada, BadBox, and Vo1d.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!