Keenadu Android Malware: A Stealthy Threat Embedded in Firmware and Apps
A sophisticated Android backdoor, dubbed Keenadu, has emerged, infiltrating device firmware during the build process and propagating through applications available on Google Play. This malware grants attackers remote control over compromised smartphones and tablets, posing significant security risks to users worldwide.
Infection Mechanism and Technical Details
Keenadu’s infiltration begins at the firmware compilation stage, where a malicious static library, identified as libVndxUtils.a (MD5: ca98ae7ab25ce144927a46b7fee6bd21), is embedded into the libandroid_runtime.so file. Upon deployment, often via over-the-air (OTA) updates, this library decrypts payloads using the RC4 algorithm and loads them into the device’s Dalvik cache directory (/data/dalvik-cache/) through DexClassLoader. This process establishes a client-server architecture within the device, with AKClient operating within applications and AKServer within the system_server process.
The dropper component within libandroid_runtime.so modifies the println_native method to invoke __log_check_tag_count, which decrypts and executes the com.ak.test.Main class. To evade detection, Keenadu is programmed to avoid interfering with applications from Google, Sprint, and T-Mobile, as well as specific kill switches. It utilizes binder inter-process communication (IPC) mechanisms to control various processes within the device.
AKServer broadcasts interfaces that manage permission grants and revocations, geolocation data, and the exfiltration of sensitive information. Meanwhile, the MainWorker component queries command-and-control (C2) servers, with addresses decrypted using AES-128 encryption. The decryption keys are derived from the MD5 hash of the string ota.host.ba60d29da7fd4794b5c5f732916f7d5c.
Payloads and Malicious Activities
Keenadu’s payloads are diverse and target various applications and services:
– Browser Hijacking: The malware monitors the URL bar in browsers like Chrome to hijack search queries, redirecting users to malicious sites or injecting unwanted advertisements.
– Launcher Manipulation: It tracks application sessions to install additional malicious software, often leading to further monetization schemes.
– Shopping App Exploitation: Keenadu targets popular shopping applications such as Amazon, SHEIN, and Temu, loading malicious APKs that can steal user credentials or financial information.
Some modules, like the Nova/Phantom clicker, employ machine learning and WebRTC technologies to commit ad fraud. Others embed themselves into facial recognition services (e.g., com.aiworks.faceidservice, MD5: d840a70f2610b78493c41b1a344b6893) or launcher applications. These payloads utilize DSA signatures, MD5 checks, and AES decryption to execute their malicious functions.
Supply Chain Compromise and Distribution
Evidence suggests that Keenadu’s infiltration is a result of supply chain compromises. Signed firmware from manufacturers like Alldocube, including models such as the iPlay 50 mini Pro T811M from August 2023, have been found to contain the backdoor. Developer artifacts, such as source paths like D:\work\git\zh\os\ak-client, indicate unauthorized modifications during the development process. Kaspersky’s telemetry data reveals that infections are not limited to Alldocube tablets but extend to other devices as well.
In addition to firmware infections, standalone applications on Google Play have been found to harbor Keenadu modules. For instance, a smart camera application with over 300,000 downloads and Xiaomi’s GetApps platform have been identified as carriers of the Nova clicker module, embedded via services like com.arcsoft.closeli.service.KucopdInitService. Upon notification, Google promptly removed these malicious applications from the Play Store.
Indicators of Compromise and Connections to Other Malware
Kaspersky has identified various indicators of compromise associated with Keenadu:
– MD5 Hashes:
– ca98ae7ab25ce144927a46b7fee6bd21: libVndxUtils.a malicious library
– 4c4ca7a2a25dbe15a4a39c11cfef2fb2: Keenadu loader module
– 912bc4f756f18049b241934f62bfb06c: Chrome hijacker
– f0184f6955479d631ea1b1ea0f38a35d: Nova/Phantom clicker
– Command-and-Control Servers:
– 67.198.232.4
– 67.198.232.187
– Domains:
– keepgo123.com
– gsonx.com
– C2 Endpoint:
– /ak/api/pts/v4
Keenadu shares code and infrastructure with other notorious malware families, including Triada, BADBOX, and the Vo1d botnets. These connections are evident through shared codebases, overlapping C2 domains (e.g., zcnewy[.]com), and similar payload delivery mechanisms. BADBOX has been observed deploying Keenadu loaders, while Triada shares credential-stealing functionalities.
Global Impact and Remediation
As of the latest reports, over 13,715 devices worldwide have been infected with Keenadu, with significant concentrations in Russia, Japan, Germany, and Brazil. To mitigate the risk posed by this malware, users are advised to:
– Update Firmware: If clean firmware versions are available from the device manufacturer, users should update their devices promptly.
– Disable Infected System Applications: Utilize Android Debug Bridge (ADB) commands to disable known infected system applications. For example:
“`
pm disable com.aiworks.faceidservice
“`
– Uninstall Sideloaded Applications: Remove any applications installed from unofficial sources, as they may harbor malicious components.
– Exercise Caution: Avoid using the device for sensitive activities until it has been thoroughly cleaned and patched.
The emergence of Keenadu underscores the critical importance of supply chain security and the need for vigilance when installing applications, even from trusted sources like Google Play. Users are encouraged to stay informed about potential threats and to adopt best practices for device security to protect against such sophisticated malware.
