The tablet conqueror and the links between major Android botnets

216.73.217.22

The tablet conqueror and the links between major Android botnets

· Published 17/02/2026 12:39 · Modified 17/02/2026 16:08

Essential information

Published: 17/02/2026 12:39
Modified: 17/02/2026 16:08
Tags: 2026-02-17 ad fraud android backdoor badbox botnets firmware keenadu nova supply chain attack triada vo1d
Related entities: 6 observables, 1 intrusion sets (apt), 2 techniques (mitre), 5 malware, 13 others

Description

A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.