Android devices ship with firmware-level malware

Key Takeaways

• The Keenadu backdoor is embedded in the firmware of low-cost Android devices during the build phase via a supply chain compromise.
• The malware injects into the Zygote process via a compromised libandroid_runtime.so, gaining total control over all installed applications.
• Keenadu acts as a downloader for second-stage modules, primarily 'clickers' that perform invisible ad fraud on popular apps like YouTube, Facebook, and Amazon.
• Over 500 unique devices across 50 models from manufacturers like BLU, Ulefone, and DOOGEE have been identified globally.
• Infected BYOD devices pose a significant risk to corporate networks, potentially exposing credentials stored in apps.

Affected Systems

• Android OS
• Low-cost Android devices (Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, Ulefone, Alldocube)

Attack Chain

The attack begins with a supply chain compromise where the Keenadu backdoor is integrated into the firmware of low-cost Android devices during the build phase. The malicious code resides in a static library (libVndxUtils.a) and infects the core libandroid_runtime.so library. When the device boots, the malware injects itself into the Zygote process, effectively copying itself into the address space of every installed application. From this privileged position, Keenadu contacts C2 servers to download second-stage modules, primarily 'clickers' that perform invisible ad fraud on popular apps like YouTube, Facebook, and Amazon.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos Intercept-X

Sophos detects this threat as Andr/Bckdr-SBS using their endpoint agent. No raw detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: Medium — Mobile EDR/MDM solutions can detect the malicious APKs and C2 traffic, but firmware-level infections are inherently difficult to inspect or remediate fully without vendor patches. Network Visibility: High — The malware relies heavily on DNS resolution and HTTP/HTTPS traffic to multiple hardcoded C2 domains for downloading second-stage modules and performing ad fraud. Detection Difficulty: Hard — Because the malware is embedded in the firmware and injects into the Zygote process, it operates with system-level privileges and masks its activity within legitimate app processes.

Required Log Sources

• DNS Query Logs
• Network Flow Logs
• Mobile Device Management (MDM) Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for unexpected DNS queries or network connections to known Keenadu C2 domains originating from mobile device subnets or BYOD networks.	DNS Query Logs, Network Flow Logs	Command and Control	Low
Monitor MDM telemetry for the presence of trojanized system APKs like PriLauncher.apk or PriLauncher3QuickStep.apk with mismatched hashes.	MDM Application Inventory Logs	Persistence	Medium

Control Gaps

• BYOD Network Segmentation
• Mobile Firmware Integrity Monitoring

Key Behavioral Indicators

• Connections to typo-squatted domains (e.g., uscelluliar.com, gstatic2.com)
• High volume of background web traffic from apps like YouTube or Facebook indicating clicker module activity

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block known Keenadu C2 domains and IP addresses at the corporate firewall and DNS resolvers.
• Restrict identified affected low-cost Android models from accessing corporate networks or sensitive data.

Infrastructure Hardening

• Implement strict network segmentation for BYOD devices, isolating them from critical corporate infrastructure.
• Enforce Zero Trust Network Access (ZTNA) policies requiring device health checks before granting access.

User Protection

• Deploy Mobile Threat Defense (MTD) or MDM solutions to scan for malicious APKs and enforce compliance.
• Prompt users of affected devices to install updated firmware from the vendor as soon as it becomes available.

Security Awareness

• Educate employees on the risks of using low-cost, unverified Android devices for accessing corporate resources.
• Advise users on the signs of ad fraud malware, such as unexplained battery drain or high data usage.

MITRE ATT&CK Mapping

• T1629 - Supply Chain Compromise
• T1624 - Modify OS Components
• T1055 - Process Injection
• T1105 - Ingress Tool Transfer

Additional IOCs

• Ips:
  • 67[.]198[.]232[.]4 - C2 server for Keenadu backdoor
  • 110[.]34[.]191[.]81 - C2 server for Keenadu backdoor
• Domains:
  • glogstatic[.]com - C2 server for Keenadu backdoor
  • ytimg2[.]com - C2 server for Keenadu backdoor
  • gmsstatic[.]com - C2 server for Keenadu backdoor
  • gsonx[.]com - C2 server for Keenadu backdoor
  • keepgo123[.]com - C2 server for Keenadu backdoor
  • sliidee[.]com - C2 server for Keenadu backdoor
  • newsroomlabss[.]com - C2 server for Keenadu backdoor
  • fbgraph[.]com - C2 server for Keenadu backdoor
  • dllpgd[.]click - C2 server for Keenadu backdoor
  • gvvt1[.]com - C2 server for Keenadu backdoor
  • proczone[.]com - C2 server for Keenadu backdoor
  • goaimb[.]com - C2 server for Keenadu backdoor
  • aifacecloud[.]com - C2 server for Keenadu backdoor
  • gbugreport[.]com - C2 server for Keenadu backdoor
  • tmgstatic[.]com - C2 server for Keenadu backdoor
  • fbsimg[.]com - C2 server for Keenadu backdoor
  • launcher[.]szprize[.]cn - C2 server for Keenadu backdoor
  • iboot[.]site - C2 server for Keenadu backdoor
• File Hashes:
  • 11eaf02f41b9c93e9b3189aa39059419 (MD5) - Keenadu-infected BLU Bold K50 firmware (PriLauncher3QuickStep.apk)
  • 7db58b72a3493a86e847c3685eca74c690d50b55 (SHA1) - Keenadu-infected BLU Bold K50 firmware (PriLauncher3QuickStep.apk)
  • 3c03168c98ad6111c3aa0a960f8b7eea (MD5) - Keenadu-infected BLU G84 firmware (PriLauncher3QuickStep.apk)
  • dcf2b51bfc43494bb27f5da26f3f706ca878d17e (SHA1) - Keenadu-infected BLU G84 firmware (PriLauncher3QuickStep.apk)
  • cdf1d41d732ba882184060933bec2c1f4b8eefc081c06471132a690f2205da31 (SHA256) - Keenadu-infected BLU G84 firmware (PriLauncher3QuickStep.apk)
  • cb0d514d86ddfaf4345d25cef064863b (MD5) - Keenadu-infected Ulefone Armor 22 firmware (PriLauncher.apk)
  • b73c94e56932f607108ec1efb74004c763a9e42b (SHA1) - Keenadu-infected Ulefone Armor 22 firmware (PriLauncher.apk)
  • ab6d744dccf4c6266474df4b8aa3be6ae5663dbee39c579a552a4cfa1c1d12fd (SHA256) - Keenadu-infected Ulefone Armor 22 firmware (PriLauncher.apk)
  • cd619b4e1e793f96eca877616a741bc1 (MD5) - Keenadu-infected Ulefone Armor X13 firmware (PriLauncher.apk)
  • c33b025bac789d3742278f784377fc36f83fd1ff (SHA1) - Keenadu-infected Ulefone Armor X13 firmware (PriLauncher.apk)
  • da1c7f53add0abaa8a49b773e5cea9c9171799f644ec24e366aaf7ce29962a11 (SHA256) - Keenadu-infected Ulefone Armor X13 firmware (PriLauncher.apk)
  • b80b39ed95d54c8c1bf12e35f92e23cc (MD5) - Keenadu-infected Ulefone Armor 24 firmware (PriLauncher3QuickStep.apk)
  • 7eb32a90d556bb9954707014843a67f7039ea7f1 (SHA1) - Keenadu-infected Ulefone Armor 24 firmware (PriLauncher3QuickStep.apk)
• File Paths:
  • /system/system_ext/priv-app/PriLauncher3QuickStep/PriLauncher3QuickStep.apk - System-level directory containing the trojanized QuickStep launcher
• Other:
  • libandroid_runtime.so - Shared object library infected by Keenadu to inject into the Zygote process
  • libVndxUtils.a - Static library containing the Keenadu code, masquerading as legitimate MediaTek code
  • PriLauncher.apk - Trojanized system-level APK file
  • PriLauncher3QuickStep.apk - Trojanized system-level APK file