Experts at the Russian company Kaspersky Lab have detected a massive supply chain compromise. Hackers embedded the Keenadu code into the operating systems of new Android devices to infect the phones before they even reach consumers.
In early February, analysts identified over 13,000 infected gadgets. Nearly 9,000 of these cases hit the Russian market, while experts recorded the rest across Japan, Germany, Brazil, and the Netherlands.
Threat to Users
The creators originally designed this network of infected devices to inflate ad traffic for passive income.
However, the malware's functionality allows it to seize full control of the operating system to steal cryptocurrencies. Keenadu can modify installed applications, granting maximum access privileges to third-party APK files.
The program seamlessly reads bank details, private messages, and geolocation tags.
Infection Mechanics
Analysts discovered cases where the virus was integrated into system utilities responsible for biometric face unlocking.
Senior cybersecurity expert Dmitry Kalinin (Dmitry Kalinin) clarified that manufacturers might have been unaware of the compromise because the virus successfully disguised itself as legitimate components.
Roman Safiullin (Roman Safiullin), Head of Information Security at InfoWatch ARMA, described the primary infection scenarios. These vectors include hacking open-source databases during firmware development.
Attackers are also actively targeting the update servers of local distributors.
Chinese Trace
The program contains built-in masking mechanisms that trigger based on the smartphone's regional settings.
The code refuses to run if it detects Chinese dialects as the primary system language or if the time zone matches a Chinese region.
Nikolay Anisenya (Nikolay Anisenya), Head of Development at PT MAZE Positive Technologies, reminded users that they cannot fully rely on the internal security algorithms of official marketplaces when purchasing new equipment.