Firmware-Level Malware: Uncovering the Keenadu Backdoor and Android Botnet Connections

Executive Summary

Attackers are now targeting the operating system itself, moving beyond app vulnerabilities. Kaspersky's GReAT discovered a firmware-level backdoor called Keenadu, similar to the Triada botnet but with new evasion techniques. Keenadu is embedded in counterfeit Android devices, linking a malicious library to the core Android runtime, affecting all apps. This strategy allows hijacking search engines, monetizing app installs, and potentially stealing credentials stealthily. SecLookup's platform has identified and blocked several malicious domains linked to this campaign to protect users.

Threat Analysis

The Keenadu backdoor represents a significant escalation in Android malware capabilities, moving the infection vector from the application level to the firmware level. This allows the malware to bypass standard sandboxing protections and persist across reboots.

Infection Vector and Persistence

The attack begins during the firmware manufacturing process. The malicious actors inject a malicious static library into the firmware build phase. This library is then statically linked with libandroid_runtime.so, a fundamental component of the Android OS that handles the initialization of the Dalvik/ART virtual machine.

Once the compromised firmware is installed on the device and activated, Keenadu loads into the Zygote process. Zygote is the parent process for all Android applications; it is forked to create each new application instance. By hooking into Zygote, Keenadu ensures that a copy of the malicious code is injected into the address space of every application running on the device, regardless of its origin.

TTPs and MITRE ATT&CK Mapping

The TTPs employed by Keenadu align with several tactics from the MITRE ATT&CK framework for Mobile:

T1546.004: Linux and Mac App Launcher / Pre-OS Boot / OS Boot Logon Autostart Execution: The malware utilizes a firmware-level persistence mechanism. By embedding itself in the system partitions, it survives system updates and reboots.
T1574.004: DLL Search Order Hijacking / Library Injection: While technically a static link in this instance, the result is functionally identical to a hijacking attempt. The malicious code is loaded into the runtime environment, granting it access to system functions.
T1059.007: Command and Scripting Interpreter: Shell: Keenadu acts as a multi-stage loader, receiving commands and scripts from its Command and Control (C2) infrastructure to control the device remotely.
T1566.001: Phishing: Spearphishing Link: While the primary delivery was firmware, the report notes that a specific payload was found embedded in standalone apps distributed via third-party stores, likely delivered via phishing or compromised app repositories.

Payload Capabilities

Once active, Keenadu grants operators unrestricted control. Our analysis of intercepted payloads indicates that the malware targets specific functionalities based on the context of the running application:

Browser Hijacking: In web browsers, Keenadu intercepts search queries and redirects them to controlled search engines, often injecting affiliate links to generate illicit revenue.
Monetization of App Installs: The malware detects when a user attempts to install a new application. It can then inject itself into the installation process or modify the installer to ensure the malicious app is installed alongside the intended target, or simply hijack the install event for monetization.
Ad Element Manipulation: The malware stealthily interacts with ad elements within applications, potentially bypassing ad-viewing requirements or injecting malicious ads to distribute further malware.

Indicators of Compromise (IOCs)

Security professionals must be vigilant regarding the infrastructure used by Keenadu. The following domains have been identified and confirmed as malicious by SecLookup’s telemetry.

dllpgd[.]click
playstations[.]click

Note: Additional IOCs, including specific C2 IPs and file hashes, may be identified as the investigation into the firmware supply chain deepens. Monitoring these domains for traffic anomalies is critical.

SecLookup Detection

SecLookup is actively monitoring the threat landscape to ensure our users are protected against evolving firmware-level threats like Keenadu. Our threat intelligence platform has identified and is currently blocking the malicious domains listed above.

Recommendations

Given the sophistication of the Keenadu backdoor, traditional endpoint security measures may be insufficient to detect firmware-level compromises. The following steps are recommended for security administrators and device owners:

Firmware Verification: For organizations managing fleets of Android devices, it is critical to verify the authenticity of the firmware images used. Ensure that devices are sourced from reputable manufacturers and that firmware updates are signed and verified before installation.
Zygote Process Monitoring: Security teams should implement monitoring solutions that track the memory space of the Zygote process. Unusual injection attempts or memory dumps from this process could indicate the presence of firmware-level malware.
App Whitelisting: Restrict the installation of applications to official app stores or enterprise-approved repositories. The report notes that one specific payload was found in standalone apps distributed via third-party sources.
Traffic Analysis: Monitor network traffic for redirects to the malicious domains (playstations[.]click, dllpgd[.]click) or unusual search engine redirections that do not match user intent.
Device Inventory and Patching: Maintain an accurate inventory of all Android endpoints. If a device is confirmed to be running compromised firmware, it should be wiped and re-provisioned with a clean image.