Android devices ship with firmware-level malware

In late February 2026, SophosLabs analysts identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. According to Kaspersky, Keenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process. As Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device. Keenadu acts as a downloader for second-stage malware modules that can be used to target the data in multiple applications. All Android apps rely on libandroid_runtime.so to run, so a copy of Keenadu is copied into the address space of every app installed on an infected device.

The code for Keenadu is located in a static library (libVndxUtils.a) on an infected device and relies on a malicious dependency that masquerades as legitimate MediaTek code. Based on artifacts associated with Keenadu’s deployment, Kaspersky concluded that it was “integrated into the firmware during the build phase” in a supply chain compromise rather than subsequently installed through a compromised OTA (over-the-air) server.

The apps the malware targets depends on the modules the attacker chooses to download. Examples include storefronts like Shein, Temu, and Amazon. YouTube, Facebook, and the Digital Wellbeing app are all targeted with “clicker” modules, which perform ad fraud by silently connecting to websites in the background to generate pay-per-click revenue. Another clicker module is embedded in the system launcher (com.android.launcher3) and appears designed to monetize each installation. One module targets the Google Chrome browser.

The infected devices detected by Sophos consistently involved two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. These files were in system-level directories (e.g., /system/system_ext/priv-app/PriLauncher3QuickStep/PriLauncher3QuickStep.apk). QuickStep is the default Android system launcher and a core component of the Android Open Source Project (AOSP). The detections of these APK files as malicious suggest that these components were trojanized to run Keenadu on certain devices. The Sophos Intercept-X endpoint agent for Android does not block legitimate QuickStep versions.   

As of March 4, Sophos X-Intercept telemetry listed over 500 unique compromised Android devices across nearly 50 models. The devices were mostly low-cost models produced by the following manufacturers: Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The list did not include Alldocube devices, despite Kaspersky reportedly observing Keenadu affect that manufacturer as well. The identified infections were spread globally, with devices located in 40 countries. 

Organizations that allow users to access corporate resources from personal devices are at elevated risk. Although data exfiltration is from the device itself, threat actors could access a corporate network via exposed credentials stored in apps on the infected device.

SophosLabs analysts recommend following the steps outlined in knowledgeable article KBA-000047016. Android users should install updated firmware if released by the vendor. Until the firmware has been updated, organizations should consider restricting affected models from accessing the corporate network.

The following Sophos protection relates to this threat:

• Andr/Bckdr-SBS

The threat indicators in Table 1 can be used to detect activity related to this threat. Note that IP addresses can be reallocated. The domains and IP addresses may contain malicious content, so consider the risks before opening them in a browser.

Table 1: Indicators for this threat