Keenadu: The Android Backdoor That Survives Factory Resets
TL;DR: Kaspersky just exposed a firmware-level Android backdoor called Keenadu that's been hiding in tablets since mid-2023. It's embedded so deep that even wiping your device won't remove it. Over 13,000 users hit so far, and it spreads through official OTA updates.
What Happened
Kaspersky researchers found a backdoor that's not just installed on Android devices-it's baked into the firmware. The malware, named Keenadu, gets injected during the manufacturing process and ships with the device from day one.
Here's the scary part: because it carries valid digital signatures and lives inside core system libraries, security software can't easily detect it. Standard antivirus? Useless. Factory reset? Doesn't touch it.
The Technical Details
Keenadu hides inside a critical system library and injects itself into every app you launch. This gives attackers full access to:
- All app permissions (it can grant or revoke them at will)
- Your precise location
- Device metadata
- Web searches
- Silent ad interactions
- App installations
The backdoor uses a client-server architecture inside your device, letting operators push custom payloads that monetize your activity without you knowing. Think invisible ad clicks, hijacked searches, and forced app installs.
It's also selective. The malware checks if Google services are present and whether you're in specific time zones. If you pass the test, it decrypts a command server address and starts transmitting encrypted data.
Who's Been Hit
So far, over 13,000 confirmed victims across:
- Russia
- Japan
- Germany
- Brazil
- Netherlands
The primary targets are Alldocube tablets, with compromised firmware dating back to mid-2023. Some infected versions were even pushed through official over-the-air updates, which means users trusted the source and installed malware thinking it was a security patch.
Supply Chain Attacks Are Getting Worse
This isn't just about one backdoored device. It's about the growing trend of attackers compromising hardware at the manufacturing level. When malware gets into the firmware build process, it bypasses every security boundary the operating system puts in place.
Your device is compromised from the moment you power it on. No exploit needed. No phishing required. Just turn it on, and you're owned.
How CybrPulse Caught This
CybrPulse flagged Kaspersky's disclosure 14 hours ago (2026-02-19, ~14:00 UTC). For context, mainstream security news sites are just starting to cover it now.
Our platform monitors hundreds of threat intelligence sources and scores alerts based on:
- Active exploitation
- Affected user base
- Attack sophistication
- Supply chain risk
Keenadu hit multiple high-priority markers, which is why it surfaced in our feed immediately.
What You Should Do
If you own an Alldocube tablet (or any budget Android tablet from an unfamiliar brand):
- Check your firmware version-Look for any OTA updates from 2023 onward
- Monitor network traffic-Watch for unexpected encrypted connections
- Consider replacing the device-If it shipped with compromised firmware, there's no clean fix
- Avoid third-party firmware-Unless you trust the source, don't flash custom ROMs from random repos
For organizations: This is a wake-up call to vet hardware suppliers more carefully. If you're deploying cheap tablets for field work, kiosks, or IoT projects, you need to know where they're manufactured and who controls the firmware supply chain.
Why This Matters
Firmware backdoors are the worst kind of compromise because they're nearly impossible to remove. No antivirus can help you. No factory reset works. The only real defense is knowing which hardware to avoid in the first place.
And that's exactly why real-time threat intelligence matters. If you're relying on monthly security roundups or waiting for alerts to hit Reddit, you're already behind.
Detected by CybrPulse: 2026-02-19, 14:37 UTC
Source: Kaspersky Securelist
Affected Devices: Alldocube tablets (possibly others)
Impact: 13,000+ confirmed infections globally
Want threats like this flagged before they hit mainstream news? That's what CybrPulse does. $7.99/month, no vendor spam, just actionable intel.
