A dangerous Android backdoor has just been discovered on thousands of devices worldwide.

Overview

In recent years, the Android ecosystem has continuously become the target of large-scale attack campaigns. However, most malware still relies on human factors, requiring users to download malicious apps or inadvertently grant dangerous permissions. The emergence of Keenadu has disrupted this model. Keenadu is a newly discovered Android malware that exists right within the device's firmware. Unlike traditional Android malware, Keenadu doesn't require users to install malicious apps, as it is present from the moment the device is shipped. As of now, Kaspersky has confirmed that over 13,000 devices have been infected globally, mainly in countries like Russia, Japan, Germany, Brazil, and the Netherlands. This is truly a telling number about the impact of this malware.

Initial findings

The discovery of Keenadu originated from the investigation of new variants of the Triada backdoor, a well-known Android malware that previously infected counterfeit devices.

A new version of Triada spreads embedded in the firmware of Android devices | Securelist

While tracking large-scale Android botnets, the research team noticed:

• A completely new backdoor.

• Operates more deeply than Triada.

• Connected to many large Android botnets.

This indicates that the Android malware ecosystem is shifting to a supply-chain attack model instead of tricking users into installing APKs.

Xu hướng tấn công

The history of Keenadu reflects a new trend in mobile malware:

Phase	Type of attack
Before 2020	Malicious app
2020–2024	System app / privilege abuse
2025 to present	Firmware & Supply Chain

Architecture of Keenadu

The architecture of Keenadu can be divided into four main layers:

Each layer plays a specific role to ensure stealth, persistence, and remote control. Notably, Keenadu is integrated into: libandroid_runtime.so. This can be considered an important system library of Android.

• Loaded during the boot process

• Used by all applications

• Part of the runtime framework

When this library is modified, the malware will immediately:

• Inject into the Zygote process

• Automatically appear in every app

Attack chain

The first stage is the initial compromise of the supply chain, also known as Initial Compromise. As mentioned earlier, the malware is not installed post-sale; instead, the malicious code is embedded directly during the firmware build process. The attacker will take the following steps:

• Infiltrate vendor OEM/firmware integrator

• Modify Android system image

• Add malicious library to the system

Specifically, the malware will be linked to libandroid_runtime.so, which is a core library of the Android framework. At this point, the device is already infected with malware right from the place where it was manufactured.

In the second stage, the attacker will distribute the infected device. The distribution sources are varied to ensure they reach the victim. The infected firmware is distributed through:

• Cheap tablet/phone OEM

• Clone devices

• Legitimately signed firmware

• Official OTA update

Some firmware even carries valid digital signatures, making detection nearly impossible. Once it reaches the victim, stage 3 is executed - activation when the system boots.

Android will load the supply chain: boot → system framework → libandroid_runtime.so Because the library has been modified:

• Keenadu runs before any application

• Runs with system/native privileges

The advantage at this stage is that no exploit or privilege escalation is needed. Right after this is the most critical phase of the entire attack campaign - Zygote Process Injection. In Android, Zygote is understood as the parent process of all applications.

Once Zygote starts, the malware will inject malicious code here.

Then load the backdoor into the Zygote memory. The task of the backdoor at this stage is:

• Mapped into process memory

• Runs with system privileges

• Becomes part of Zygote

Of course, the consequences at this stage are also very serious:

• Malware exists in the memory of every application

• Bypass Android sandbox

• Access other app data

Once the malware is on the device, the attacker's next goal is to infect all applications. As soon as the user opens any app, the execution chain is immediately triggered.

The infected app is:

• No APK changes

• No warnings

• No new permissions needed

After the infection, the attacker will maintain control and receive commands by setting up a backdoor and configuring the C2 server: 67.198.232[.]4 or 67.198.232[.]187.

At this point, Keenadu begins collecting the victim's device information, such as model, firmware, app list, and Google services status. The data is then sent to the C2 server to receive operational configurations. From here, your device will inadvertently become a remote-controlled Android node.

Here, the backdoor allows:

• Install any APK

• Grant permissions automatically

• Download new modules

• Full remote control

Keenadu will function here as a loader platform. This means that after connecting to the C2 server, it will send modules according to specific targets.

• Ad fraud module

• Data harvesting

• App hijacking

• Proxy / botnet node

Another feature of Keenadu is its ability to evade analysis. Keenadu only activates if:

• Has Google Play Services

• Doesn't use Chinese locale/timezone

Consequences

Complete loss of device control

• Device controlled remotely

• Attacker can execute arbitrary code

• Install applications without user knowledge

Large-scale personal data leak

• Stealing social media accounts

• Hijacking email

• Exposing identifying information

• Monitoring user behavior

Financial risk

• Loss of money

• Payment fraud

• Misuse of digital wallets

Decreased performance and device lifespan

• Battery drains quickly

• Device overheats

• Consumes network data

• Reduces hardware lifespan

Conclusion

The emergence of Keenadu marks a dangerous shift in the landscape of modern mobile security. Previously, most Android malware relied on tricking users into installing malicious apps, but now attackers have advanced further—directly infiltrating the device supply chain, leaving users nearly powerless to protect themselves with conventional methods. The most concerning aspect is not the number of infected devices, but the attack model Keenadu represents: firmware-level malware with the ability to persist, deeply embed itself in the system, and bypass most traditional defenses. This is no longer just a problem for individual users but a challenge for the entire Android ecosystem—from hardware manufacturers and firmware developers to the global distribution chain.

Recommendations

1. Only purchase devices from reputable brands.

• Priority:

  • Samsung

  • Google Pixel

  • Xiaomi (official store)

  • OPPO / Vivo official distribution

• Keenadu primarily appears on low-cost OEM devices.

1. Verify the source of purchase.

• Consider purchasing from:

  • Official stores

  • Authorized dealers

  • Major retailers

• Avoid:

  • Buy devices that are unopened

  • Devices with pre-installed unfamiliar apps

  • Devices that have been rooted or have an unlocked bootloader

1. Check system applications

• Go to Settings → Apps → Show system apps

• Warning if you see:

  • Unknown developer name

  • App cannot be uninstalled

  • App with excessive permissions

1. Check Play Protect certification

• Access: Google Play → Settings → About

• Must see: Play Protect certification: Certified

• If Not Certified → risk of modified firmware.

IOCs

1. Domain C2

• fbsimg[.]com

• tmgstatic[.]com

• gbugreport[.]com

• aifacecloud[.]com

• goaimb[.]com

• proczone[.]com

• gvvt1[.]com

• dllpgd[.]click

• fbgraph[.]com

• newsroomlabss[.]com

• sliidee[.]com

• keepgo123[.]com

• gsonx[.]com

• gmsstatic[.]com

• ytimg2[.]com

• glogstatic[.]com

• gstatic2[.]com

• uscelluliar[.]com

• playstations[.]click

1. IP C2

• 110.34.191[.]81

• 110.34.191[.]82

• 67.198.232[.]4

• 67.198.232[.]187

1. Payload CDN

• ubkt1x.oss-us-west-1.aliyuncs[.]com

• m-file-us.oss-us-west-1.aliyuncs[.]com

• pkg-czu.istaticfiles[.]com

• pkgu.istaticfiles[.]com

• app-download.cn-wlcb.ufileos[.]com

1. Malicious Hash

• bccd56a6b6c9496ff1acd40628edd25e

• c4c0e65a5c56038034555ec4a09d3a37

• cb9f86c02f756fb9afdb2fe1ad0184ee

• f59ad0c8e47228b603efc0ff790d4a0c

• f9b740dd08df6c66009b27c618f1e086

• 02c4c7209b82bbed19b962fb61ad2de3

• 185220652fbbc266d4fdf3e668c26e59

• 36db58957342024f9bc1cdecf2f163d6

• 4964743c742bb899527017b8d06d4eaa

• 58f282540ab1bd5ccfb632ef0d273654

• 59aee75ece46962c4eb09de78edaa3fa

• 8d493346cb84fbbfdb5187ae046ab8d3

• 9d16a10031cddd222d26fcb5aa88a009

• a191b683a9307276f0fc68a2a9253da1

• 65f290dd99f9113592fba90ea10cb9b3

• 68990fbc668b3d2cfbefed874bb24711

• 6d93fb8897bf94b62a56aca31961756a

• 2922df6713f865c9cba3de1fe56849d7

• 3dae1f297098fa9d9d4ee0335f0aeed3

• 462a23bc22d06e5662d379b9011d89ff

• 4c4ca7a2a25dbe15a4a39c11cfef2fb2

• 5048406d8d0affa80c18f8b1d6d76e21

• 529632abf8246dfe555153de6ae2a9df

• 7ceccea499cfd3f9f9981104fc05bcbd

• 912bc4f756f18049b241934f62bfb06c

• 98ff5a3b5f2cdf2e8f58f96d70db2875

• aa5bf06f0cc5a8a3400e90570fb081b0

• ad60f46e724d88af6bcacb8c269ac3c1

• dc3d454a7edb683bec75a6a1e28a4877

• f0184f6955479d631ea4b1ea0f38a35d

• 07546413bdcb0e28eadead4e2b0db59d

• 0c1f61eeebc4176d533b4fc0a36b9d61

• 10d8e8765adb1cbe485cb7d7f4df21e4

• 11eaf02f41b9c93e9b3189aa39059419

• 19df24591b3d76ad3d0a6f548e608a43

• 1bfb3edb394d7c018e06ed31c7eea937

• 1c52e14095f23132719145cf24a2f9dc

• 21846f602bcabccb00de35d994f153c9

• 2419583128d7c75e9f0627614c2aa73f

• 28e6936302f2d290c2fec63ca647f8a6

• 382764921919868d810a5cf0391ea193

• 45bf58973111e00e378ee9b7b43b7d2d

• 56036c2490e63a3e55df4558f7ecf893

• 64947d3a929e1bb860bf748a15dba57c

• 69225f41dcae6ddb78a6aa6a3caa82e1

• 6df8284a4acee337078a6a62a8b65210

• 6f6e14b4449c0518258beb5a40ad7203

• 7882796fdae0043153aa75576e5d0b35

• 7c3e70937da7721dd1243638b467cff1

• 9ddd621daab4c4bc811b7c1990d7e9ea

• a0f775dd99108cb3b76953e25f5cdae4

• b841debc5307afc8a4592ea60d64de14

• c57de69b401eb58c0aad786531c02c28

• ca59e49878bcf2c72b99d15c98323bcd

• d07eb2db2621c425bda0f046b736e372

• d4be9b2b73e565b1181118cb7f44a102

• d9aecc9d4bf1d4b39aa551f3a1bcc6b7

• e9bed47953986f90e814ed5ed25b010c

• 0bc94bc4bc4d69705e4f08aaf0e976b3

• 1276480838340dcbc699d1f32f30a5e9

• 15fb99660dbd52d66f074eaa4cf1366d

• 2dca15e9e83bca37817f46b24b00d197

• 350313656502388947c7cbcd08dc5a95

• 3e36ffda0a946009cb9059b69c6a6f0d

• 5b0726d66422f76d8ba4fbb9765c68f6

• 68b64bf1dea3eb314ce273923b8df510

• 9195454da9e2cb22a3d58dbbf7982be8

• a4a6ff86413b3b2a893627c4cff34399

• b163fa76bde53cd80d727d88b7b1d94f

• ba0a349f177ffb3e398f8c780d911580

• bba23f4b66a0e07f837f2832a8cd3bd4

• d6ebc5526e957866c02c938fc01349ee

• ec7ab99beb846eec4ecee232ac0b3246

• ef119626a3b07f46386e65de312cf151

• fcaeadbee39fddc907a3ae0315d86178

Refer to

1. New Keenadu Android Malware Found on Thousands of Devices - SecurityWeek

2. Keenadu the tablet conqueror and the links between major Android botnets | Securelist