"A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu, in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023."
""In several instances, the compromised firmware was delivered with an OTA update," security researcher Dmitry Kalinin said in an exhaustive analysis published today. "A copy of the backdoor is loaded into the address space of every app upon launch. The malware is a multi-stage loader granting its operators the unrestricted ability to control the victim's device remotely." Some of the payloads retrieved by Keenadu allow it to hijack the search engine in the browser, monetize new app installs, and stealthily interact with ad elements."
Keenadu is a firmware-embedded Android backdoor that can silently harvest data and remotely control device behavior. The compromise occurs during the firmware build phase and has been found in firmware for multiple vendors, including Alldocube iPlay 50 mini Pro dating to August 18, 2023. The backdoor is embedded in libandroid_runtime.so and injected into the Zygote process, causing a copy to load into every app's address space at launch. The malware is a multi-stage loader that enables operators to hijack browser search engines, monetize app installs, interact with ad elements, and deploy payloads via standalone apps in third-party and official stores. Telemetry shows 13,715 affected users concentrated in Russia, Japan, Germany, Brazil, and the Netherlands. Compromised firmware files carry valid digital signatures and in several instances were delivered via OTA updates.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]