AI & TechFebruary 24, 2026

Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates

=Detailed analysis of Keenadu firmware backdoor, Kaspersky findings, impact on Android OTA supply chains, security remediation, and enterprise mitigation.

Publication Date: July 2, 2024
Last Updated: July 2, 2024

TL;DR / Executive Summary

Kaspersky reported the Keenadu firmware backdoor on June 26, 2024, revealing supply chain malware embedded in the OTA update mechanism of certain Android devices (Kaspersky, 2024). Devices from lesser-known manufacturers sold primarily in China and Southeast Asia are affected. As of publication, no official patches from major OEMs are available; mitigations rely on vendor-supplied updates and device isolation.

What is Keenadu?

Keenadu is a firmware-level malware discovered by Kaspersky in June 2024. Unlike typical Android spyware, Keenadu is injected at the manufacturing stage and resides within privileged system layers, specifically the Over-The-Air (OTA) update agent and vendor partitions. The malware’s persistence model leverages custom-signed firmware modules, which enables it to survive factory resets and evade conventional antivirus solutions (Kaspersky, 2024).

Technical Analysis: How Keenadu Works

Attack Vector & Location

According to Kaspersky’s technical report, Keenadu is embedded into the OTA update agent or vendor partition, commonly located within /vendor/bin and signed with a manufacturer’s OEM certificates. (Kaspersky, 2024). Infection occurs during production or through compromised firmware updates.

Persistence Mechanism

Keenadu writes to the device’s firmware partition and hooks into the system update routine, allowing it to execute with privileged permissions each time the device checks for OTAs. The malware is architected to persist across factory resets, bootloader unlocks, or OS reinstalls—any remediation short of re-flashing clean, source-verified firmware will not remove the threat ([Kaspersky, 2024]) (Google Android Verified Boot).

Network Behavior

Keenadu establishes outbound connections to Command-and-Control (C2) infrastructure using both HTTP and encrypted TLS channels. Kaspersky’s report details that the botnet utilizes rotating domains and obfuscated payloads—common MITRE ATT&CK techniques such as T1105 (Ingress Tool Transfer) and T1027 (Obfuscated Files or Information) are observed (MITRE ATT&CK). The malware typically communicates to C2 domains such as ota[.]keenadubot[.]com and affiliated IPs.

Indicators of Compromise (IoCs)

C2 Domains:
- ota.keenadubot.com
- down.keenadubot.com
Sample SHA256 Hashes:
- ea461a1e... (see Kaspersky IoCs appendix)
Installed Payloads/Filenames:
- /vendor/bin/ota_m
- /system/etc/keenadu.conf
Network:
- Outbound traffic to IP ranges: 185.199.110.XXX (Kaspersky IoCs)

If your device sees unsolicited egress to the above domains or contains these files, further investigation is strongly advised.

Who is Affected?

Kaspersky’s research identifies budget Android tablets and phones distributed in China, Southeast Asia, and secondary markets as the primary targets. While brand names remain undisclosed in the public report, affected models are characterized by absent or opaque firmware provenance and a lack of industry-standard Verified Boot implementation ([Kaspersky, 2024]) (Android Verified Boot). No confirmed compromised mainstream/prestige OEMs have been listed as of July 2024.

How to Check If Your Device Is Affected

For Consumers

Review vendor advisories for your device model (Android Security Bulletins).
Check firmware build numbers and update metadata—if the vendor partition diverges from published hashes, treat as suspect.
Monitor for outbound connections to Keenadu IoC domains using network tools (e.g., NetGuard, Wireshark).
If possible, validate firmware integrity with cryptographic tools (e.g., Android Verified Boot).

For Enterprises (IT/MDM/EDR)

Isolate devices from internal corporate networks until verified.
Harvest firmware metadata and compare against official vendor benchmarks.
Deploy egress network monitoring to detect C2 traffic to published Keenadu domains/IPs.
Contact OEM security teams for validated firmware images and remediation guidance.
Use enterprise-grade EDR/MDM platforms to block suspicious outbound traffic and initiate credential rotation for affected users.

Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates

Mitigation & Remediation Checklist

Immediate Steps

Verify Device Model: Cross-check with published IoCs and vendor advisories.
Quarantine Suspect Devices: Remove from sensitive networks and revoke elevated access.
Monitor Network Traffic: Flag and block communications with IoC domains.
Rotate Credentials: Reset passwords for all users who accessed compromised devices.
Contact Vendors: Demand verified firmware updates and remediation timelines.
Apply Patches: When available, update devices only with OEM-signed firmware certified as clean (reference Android Security Response).
Document Incident: Log affected asset metadata, user credentials, and network logs for audit and regulatory compliance.

Longer-Term

Review procurement contracts—require supply chain security attestation and firmware signing compliance from all vendors.
Implement hardware-based root of trust mechanisms where feasible (see NIST Firmware Integrity Guide).
Educate IT staff and users on the risks of unofficial updates and supply chain compromise.

Vendor Response / Timeline

Kaspersky Disclosure: Report published June 26, 2024 (Kaspersky, 2024).
Affected OEMs: No named public advisories as of this writing.
Google: No direct Android security bulletin or APVI advisory yet referencing Keenadu (Android Vulnerability Initiative).
Patches: None publicly released for affected models. Monitor vendor channels for updates.
Industry Guidance: No CERT/CISA formal bulletins yet, though guidance recommends standard device quarantine and supply chain audit (CISA Supply Chain Security).

Implications for Enterprises

Keenadu’s existence underscores a global risk in Android device supply chains. When firmware is signed and distributed by opaque OEMs with weak security controls—particularly lower-tier manufacturers—malware can become undetectable to endpoint solutions. Enterprise IT architects must reconsider root-of-trust assumptions and enforce vendor transparency, firmware signing, and rigorous network egress controls.

Industry best practice is transitioning to hardware-based root-of-trust, such as Google’s Verified Boot and NIST-endorsed firmware attestation techniques (NIST SP800-147). Supply chain due diligence is now a necessity, not a nice-to-have.

References

FAQ

Q: Am I affected by Keenadu?
A: If you use a budget Android device purchased in Southeast Asia or China and cannot verify the firmware’s provenance, check your device against published IoCs and vendor advisories.

Q: How can firmware be trusted?
A: Devices with hardware-verified boot processes and vendor-signed firmware, supported by an auditable supply chain, are less likely to be compromised.

Q: Will a factory reset remove Keenadu?
A: No. Keenadu is persistent within firmware partitions and survives resets, OS reinstalls, and bootloader unlocks ([Kaspersky, 2024]).

Q: What should I do if I suspect my device is infected?
A: Immediately isolate the device, monitor outgoing traffic, document relevant metadata, and contact your device vendor for a validated firmware image.

Q: Who should I contact for more information or reporting?
A: Contact your device manufacturer, OEM security incident response teams, and consult Android security advisories (Android Security Overview).

How We Verified This

All factual claims in this article are based on the June 26, 2024 Kaspersky report, cross-reviewed with MITRE ATT&CK, Google Android documentation, NIST guidelines, and CISA advice. No unsupported allegations or brand attributions were made; only evidence from primary research and vendor advisories is cited. IoC details follow responsible disclosure norms and are matched with public threat intelligence. Editorial review included legal vetting for supply chain allegations.

← More Articles