Zimperium has issued an advisory warning of a newly disclosed firmware-level Android backdoor, Keenadu, describing it as a significant mobile threat that embeds itself deep within device software, bypasses traditional mobile security controls and exposes organisations to persistent, high-risk compromise.
Unlike conventional mobile malware delivered through malicious apps, Keenadu reportedly integrates directly into device firmware and injects itself into the Android Zygote process, the parent process that launches all applications.
This level of access is said to enable the backdoor to operate within the context of every app on the device, circumventing sandbox protections, permission boundaries and traditional detection methods.
Because the compromise occurs at the firmware or supply chain level, devices can be infected before reaching end users or enterprises.
Nico Chiaraviglio, Chief Scientist, Zimperium said: “Firmware-level backdoors like Keenadu represent a fundamental escalation in mobile threat sophistication because they operate below the app layer where traditional security tools have limited visibility.
“When attackers gain persistence at the firmware level, they can silently monitor activity, manipulate applications and maintain long-term access to enterprise systems without requiring user interaction.
“This underscores why organisations must adopt on-device mobile threat detection capable of identifying abnormal behaviour regardless of where the threat originates.”
Once active, Keenadu is said to function as a multi-stage loader capable of executing malicious payloads, intercepting application activity and enabling remote control of the infected device.
Observed payloads are said to include ad fraud modules, but the underlying backdoor mechanism provides the ability to conduct surveillance, harvest credentials and pivot into enterprise environments that rely on mobile devices for secure access.
According to the company, Zimperium’s Mobile Threat Defence (MTD) and runtime protection capabilities provide high zero-day coverage against Keenadu-associated samples.
Zimperium telemetry has reportedly already confirmed detection of multiple Keenadu-related samples across affected devices, reinforcing the need for continuous, behaviour-based protection that operates directly on the device.
The emergence of Keenadu is said to highlight a critical shift in mobile risk, where threats increasingly target firmware and supply chain components rather than relying solely on malicious apps or user interaction.
The company has articulated that devices compromised at this level can serve as persistent entry points into enterprise environments, enabling attackers to bypass traditional controls and maintain long-term access.
Zimperium recommends organisations strengthen mobile security strategies by deploying on-device mobile threat detection, validating device integrity and ensuring continuous monitoring of mobile endpoints.
As mobile devices continue to serve as primary access points to enterprise systems, runtime protection and real-time threat intelligence are said to be essential to defending against advanced threats that operate deep within the mobile stack.
