Most Android malware is spread through dodgy apps and sideloaded programs, meaning that you can slightly control what gets on your device. However, researchers at Kaspersky have discovered a new Android backdoor, dubbed Keenadu, that is embedded in the firmware of tablets from several manufacturers.
The new report indicates that Keenadu can be distributed via compromised firmware images, other backdoors, embedded in system apps or modified from third-party sources or even the Google Play Store.
The firmware version is the most potent and has infected more than 13,000 devices mostly in Russia, Japan, Germany, Brazil and the Netherlands. Keenadu apparently does not activate if the language or time zone is associated with China, which indicates a potential clue as to its origin.
How it works
Kaspersky researchers noted that it's mostly being used for fraudulent ads, but that it's capabilities go far beyond that. It can inject itself into the Android "Zygote" process, a core system process that launches every app on your device.
This means it can give bad actors broad control and visibility over your system.
“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer. "It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”
The researchers also found the malware in several apps that were available on the Google Play Store, including a smart home camera app that had over 300,000 downloads.
In a confirmed example, firmware images on the Alldocube iPlay 50 mini Pro tablet were compromised, including in tablets released after the vendor was informed of the malware. The firmware has valid signatures, meaning that it's a supply-chain issue where malicious code was injected during software development or even the manufacturing process.
Here's the silver lining: if you have one of the best tablets from a flagship brand like OnePlus or Samsung, you likely won't be affected by this malware. However, lesser-known Android manufacturers or knock-off ones seem to be more dangerous, and affected vendors haven't been totally named. This is quite similar to how malware was found on millions of budget Android TV boxes last year.
How to stay safe
If you have a budget Android tablet, especially from a smaller or knock-off brand, it's worth checking for software updates. You can also try installing fresh firmware from a reliable third-party. Kaspersky did say that vendors have been notified and hopefully are working on clean firmware updates.
Beyond that, it may be safer to invest in a tablet from a trusted manufacturer. We can help you with choices of the best tablets under $500 and the best Android tablets overall.
A Google spokesperson told Android Authority that "Android users are automatically protected from known versions of this malware by Google Play Protect." The spokesperson added that Play Protect will warn you and disable apps known to exhibit Keenadu behavior.
Google Play Protect is on by default, but if you want an extra layer of protection, you can run one of the best Android antivirus apps alongside it for scanning and defending your tablet or phone.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
