Rapid Response: Zimperium's Zero Day Coverage of Keenadu — A Firmware-Level Android Backdoor That Escapes Traditional Defenses

Keenadu is a firmware-level Android backdoor discovered by Securelist that embeds into a core shared library and injects into the Zygote process, enabling system-wide persistence and control across all apps. Delivered through compromised firmware images or OTA updates, it operates as a multi-stage loader used for ad-fraud modules but capable of full remote control, credential harvesting, and lateral movement; the report links Keenadu to other Android botnets and emphasizes supply-chain risks and the need for firmware integrity and runtime protection.