Executive Summary

On February 17, 2026, Kaspersky’s SecureList published a detailed threat report titled The Tablet Conqueror and the Links Between Major Android Botnets. The study exposes a new firmware‑level Android backdoor, Keenadu, and demonstrates its interconnections with established botnets such as Triada, BADBOX, and Vo1d. The malware infiltrates devices during the firmware build process, injecting itself into the libandroid_runtime.so library and gaining unrestricted control over every application launched on the infected tablet. The following article presents a threat‑report‑style overview, technical findings, and actionable recommendations for security analysts and device vendors.

Malware Discovery and Initial Indicators

Keenadu was first identified in the firmware of several tablet brands. Analysts noticed anomalous code in /system/lib/libandroid_runtime.so, where a malicious static library, libVndxUtils.a, was linked during compilation. The dropper function, __log_check_tag_count, was inserted into the native println_native implementation. When executed, it decrypts an RC4‑encrypted payload, writes it to /data/dalvik-cache/arm@framework@vndx_10x.jar@classes.jar, and loads it via DexClassLoader. The payload’s entry point is com.ak.test.Main, which initiates the backdoor’s client‑server architecture.

Backdoor Architecture

The backdoor operates through two main components: AKClient, injected into every app, and AKServer, running inside the system_server process. The client broadcasts a protected intent (com.action.SystemOptimizeService) to obtain a binder interface to the server. Once connected, the server can:

• Inject arbitrary DEX modules into infected apps.
• Grant or revoke app permissions.
• Collect device identifiers (IMEI, MAC, OS version) and exfiltrate them to a C2 server.

The backdoor’s primary mission is ad fraud. It hijacks search queries in Chrome, monitors click events in popular apps (e.g., YouTube, Facebook), and injects malicious modules that interact with advertising elements. The modules communicate with a C2 backend hosted on domains such as keepgo123.com and gsonx.com.

Linking to Other Botnets

Analysis of C2 traffic revealed that Keenadu shares code and infrastructure with other Android botnets:

• Triada – both use the same RC4‑encrypted dropper and similar binder interfaces.
• BADBOX – the backdoor’s loader is downloaded by BADBOX, and both use identical AES‑CFB payload decryption routines.
• Vo1d – shared command‑and‑control domains and similar exfiltration patterns.

These interconnections suggest a shared developer community or code reuse, underscoring the need for cross‑botnet threat intelligence sharing.

Infection Scope and Victim Statistics

Over 13,700 users worldwide have been affected, with the highest infection rates in Russia, Japan, Germany, Brazil, and the Netherlands. The malware operates silently; infected devices report intrusive ads, unexplained sounds, and occasional battery drain. Because the backdoor resides in the read‑only system partition, standard OS tools cannot remove it without bricking the device.

Mitigation Recommendations

1. Firmware Updates: If a vendor releases a clean firmware version, perform a full OTA update. Verify integrity with a trusted security solution before and after the update.

2. Custom Firmware: For devices lacking official updates, consider flashing an open‑source firmware (e.g., LineageOS) if compatible. Exercise caution to avoid bricking.

3. Disable Infected System Apps: Use ADB to disable non‑essential system apps (e.g., com.aiworks.faceidservice) with adb shell pm disable --user 0 <package>. Where disabling is not possible, remove the app’s functionality by toggling system settings.

4. App‑level Monitoring: Deploy an advanced mobile threat defense (MTD) solution that can detect runtime injection, binder abuse, and anomalous outbound traffic to known C2 domains.

5. Supply Chain Security: Vendors should audit firmware build pipelines, enforce code signing with hardware‑backed key storage, and perform binary integrity checks on all third‑party libraries.

6. Incident Response: If a device is suspected of infection, isolate it from corporate networks, capture a full disk image, and analyze for known indicators of compromise (IoCs) such as the malicious libandroid_runtime.so hashes listed in the report.

Conclusion

Keenadu demonstrates the sophistication of modern Android firmware backdoors. By compromising the core runtime library, the malware bypasses all sandboxing mechanisms and leverages the system’s own inter‑process communication to deliver a wide range of malicious modules. The links to Triada, BADBOX, and Vo1d highlight the increasingly interconnected nature of mobile botnets. Security teams must adopt a holistic approach that combines firmware integrity verification, real‑time app monitoring, and cross‑botnet threat intelligence to mitigate the evolving threat landscape.