New Malware Keenadu Found in Android Firmware
In a recent investigation by Kaspersky, a new Android backdoor named Keenadu has been identified, which compromises the firmware of numerous Android devices from various brands. Following the discovery of the Triada backdoor, Keenadu operates similarly by embedding itself into the firmware and can infect any app launched on the device through the Zygote process. This malware grants attackers almost unrestricted control, allowing for extensive malicious actions including exfiltration of sensitive information and ad fraud.
Keenadu was integrated into the firmware during the build phase by linking a malicious static library to libandroid_runtime.so, affecting the system services and applications on the devices. After activation, it can hijack app functions, steal user data, and leverage permissions without user consent. Specific payloads have been observed that interact with ad elements and can manipulate search queries in browsers like Google Chrome. The backdoor also connects to several botnets, including Triada and BADBOX, indicating a broader network of malware targeting Android devices.
This malware emergence is alarming as it represents a significant threat to Android security, effectively undermining core safety mechanisms designed to protect user data and application integrity. With approximately 13,715 users worldwide affected, including a notable presence in Russia, Japan, and Germany, the potential for data theft and fraud is substantial.
For defenders, it’s crucial to update devices and monitor for any signs of infection to mitigate risk. Keenadu’s capability for sophisticated attacks, including responsibility for various ad fraud incidents, underscores the necessity for robust security practices in mobile device management.
Indicators of Compromise (IOCs):
- C2 Servers: 67.198.232[.]4, 67.198.232[.]187
- Domains: keepgo123[.]com, gsonx[.]com
- Malicious Libraries: bccd56a6b6c9496ff1acd40628edd25ec4c0e65a5c56038034555ec4a09d3a37cb9f86c02f756fb9afdb2fe1ad0184eef59ad0c8e47228b603efc0ff790d4a0cf9b740dd08df6c66009b27c618f1e08602c4c7209b82bbed19b962fb61ad2de3185220652fbbc266d4fdf3e668c26e5936db58957342024f9bc1cdecf2f163d64964743c742bb899527017b8d06d4eaa58f282540ab1bd5ccfb632ef0d27365459aee75ece46962c4eb09de78edaa3fa8d493346cb84fbbfdb5187ae046ab8d39d16a10031cddd222d26fcb5aa88a009a191b683a9307276f0fc68a2a9253da165f290dd99f9113592fba90ea10cb9b368990fbc668b3d2cfbefed874bb247116d93fb8897bf94b62a56aca31961756a.
