Although most Android viruses are spread through dubious applications, email attachments or APK files from untrusted sites, the latest discovery shows a much more dangerous scenario. Kaspersky researchers identified an Android backdoor called Keenadu, which was built directly into the system firmware during the device’s manufacturing process. This means that some phones and tablets were infected even before they even reached the hands of customers.
Keenad Android backdoor and compromised supply chain
According to Kaspersky’s analysis, the infection occurred during the firmware development phase, when the malware library was linked to the libandroid_runtime.so system component. Once activated on the device, the malware injects itself into the Zygote process, a key part of the Android system responsible for running applications, giving it an extremely high level of privilege. In some cases, compromised firmware has even been delivered to users via OTA updates.
The researchers say the most likely cause of the attack is supply chain compromise. One of the stages in the development of the firmware was compromised, which led to the injection of a virus into the source code. The manufacturers of the devices were apparently unaware that their products contained the virus before they were released to the market.
So far, it has been confirmed that around 13,000 devices are infected with this backdoor. Although Kaspersky has not announced which brands or models are affected, manufacturers have been notified and are expected to prepare clean firmware versions through a new system update.
Google Play Protect and user protection
When asked what users can do if they have a potentially infected device, Google claims that most will not need to take any further action. According to the official statement, Android devices that have Play Protect certification are automatically protected against known variants of Keenadu malware.
Google states that Play Protect, which is active by default on devices with Google Play Services, can alert users and disable apps that exhibit behavior associated with this backdoor, even if they come from outside the Play Store. As a basic security measure, users are advised to check if their device is Play Protect certified and to install system updates regularly.
This case shows that threats to the Android ecosystem come not only from user errors, but also from deeply hidden stages of production, which makes the security of mobile devices more complex than ever before, reports Android Headline.