Researchers at Kaspersky have analyzed a recently discovered Android malware that enables its operators to remotely control compromised devices. Dubbed Keenadu, the backdoor has been found in the firmware of various Android device brands, particularly tablets. While in some cases the malware appears to have been injected into the firmware during development, it has also been delivered to devices via OTA firmware updates.
A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu, in the firmware of devices associated with various brands, including Alldocube, with the compromise occurring during the firmware build phase. Keenadu has been detected in Alldocube iPlay 50 mini Pro firmware dating back to August 18, 2023.
The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025. AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS) attacks and relay malicious traffic for residential proxy services.
"Previously, users received 'pure' Trojan APKs that acted as malware immediately upon installation," Group-IB said in an analysis published last week. "Now, adversaries increasingly deploy droppers disguised as legitimate applications. The dropper looks harmless on the surface but contains a built-in malicious payload, which is deployed locally after installation - even without an active internet connection."
The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. What's notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google's asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device. BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM).
Updated A new Android malware strain, Herodotus, steals credentials, logs keystrokes, streams victims' screens, and hijacks input - but with a twist: it mimics human typing by adding random delays between keystrokes to evade behavioral fraud detection systems. The trojan, named after the ancient Greek Father of History - or Father of Lies - includes pieces of banking malware Brokewell along with original parts, and has been used in device takeover attacks in Italy and Brazil, according to Dutch firm ThreatFabric's mobile threat intelligence team.
The Dutch mobile security firm said the change is driven by recent security protections that Google has piloted in select markets like Singapore, Thailand, Brazil, and India to block sideloading of potentially suspicious apps requesting dangerous permissions like SMS messages and accessibility services, a heavily abused setting to carry out malicious actions on Android devices. "Google Play Protect's defences, particularly the targeted Pilot Program, are increasingly effective at stopping risky apps before they run," the company said. "Second, actors want to future-proof their operations."
Bitdefender warns that a Meta malvertising campaign has expanded to Android phones. The research discovered malicious ads that offer a free TradingView Premium app for Android. Rather than leading users to a legitimate software, however, these ads take victims to a sophisticated crypto-stealing trojan, which the research as "an evolved version of the Brokewell malware." The research's most recent analysis revealed the campaign remains active and has leveraged at least 75 malicious ads since mid-July.
