Overview
- Kaspersky’s new technical analysis shows Keenadu is inserted into libandroid_runtime.so, injects via the Zygote process, and runs in every app using an AKServer/AKClient architecture.
- Evidence indicates a build‑stage supply‑chain compromise, with validly signed firmware and some OTA updates delivering the backdoor; Alldocube iPlay 50 mini Pro firmware dated August 18, 2023 is confirmed affected.
- Telemetry through early 2026 counts about 13,715 impacted devices, with most detections in Russia, Japan, Germany, Brazil and the Netherlands.
- Beyond firmware, loaders were embedded in system apps and in smart‑camera apps from Hangzhou Denghong Technology on Google Play that have since been removed, with related modules also seen on Xiaomi’s GetApps store.
- Current activity focuses on ad‑fraud such as search hijacking, clickers and install monetization, yet the platform enables unrestricted device control, and remediation requires installing verified clean firmware or replacing the device.