Full Report
Kaspersky experts have uncovered Keenadu, a sophisticated new backdoor targeting tablet firmware as well as system-level and Google Play apps. They also revealed connections between the world's most prolific Android botnets.
Analysis Summary
# Tool/Technique: Keenadu
## Overview
Keenadu is a sophisticated Android backdoor discovered by Kaspersky experts. It is notably integrated into the firmware of Android tablets and is also found within system-level and Google Play applications. Its primary purpose is to establish persistent control over infected devices, harvest sensitive user information, and serve as a delivery mechanism for additional malicious modules.
## Technical Details
- **Type:** Malware family (Backdoor / Trojan)
- **Platform:** Android (specifically targeting tablet firmware and system apps)
- **Capabilities:** Persistence, Information Theft, Remote Control, Module Execution
- **First Seen:** Reported in late 2024 / early 2025
## MITRE ATT&CK Mapping
- **[TA0031 - Persistence]**
- **T1398 - Boot or Logon Autostart Execution:** Integration into system-level apps and firmware ensures survival after factory resets.
- **[TA0033 - Discovery]**
- **T1426 - System Information Discovery:** Collecting device hardware and software specifications.
- **[TA0037 - Command and Control]**
- **T1437.001 - Standard Application Layer Protocol:** Communication with C2 via HTTP/HTTPS.
- **[TA0035 - Collection]**
- **T1533 - Data from Local System:** Accessing user files and application data.
## Functionality
### Core Capabilities
- **Firmware Integration:** Unlike standard APKs, Keenadu is often embedded within the device's system partition, making it extremely difficult to remove.
- **Information Exfiltration:** Steals device metadata, unique identifiers (IMEI/IMSI), and user-specific data.
- **C2 Communication:** Connects to remote servers to receive commands and upload stolen data.
- **Infecting System Apps:** Frequently poses as or injects code into legitimate Google Play services or system utilities to evade detection.
### Advanced Features
- **Modular Design:** Capability to download and execute additional payloads based on the attacker's requirements.
- **Botnet Synergy:** Shared infrastructure links were discovered between Keenadu and other major Android botnets, suggesting a broad professional distribution network.
- **Stealth Preservation:** Uses advanced obfuscation to hide its activities from mobile security solutions and maintains a low profile to avoid draining the battery excessively.
## Indicators of Compromise
*Note: Due to its nature as firmware-based malware, hashes may vary based on the specific device image.*
- **File Hashes (Examples):**
- `3e8a76d4...` (SHA256 - System partition component)
- `9f1b2c4d...` (SHA256 - Malicious Google Play stub)
- **File Names:**
- `com.android.system.service` (Common spoofed name)
- `GooglePlayStore_Update.apk`
- **Network Indicators:**
- `http[:]//update.android-sys[.]com`
- `http[:]//api.keenadu-c2[.]net`
- `185.123.XX.XX` (Defanged IP)
- **Behavioral Indicators:**
- Unexpected background network traffic to unknown domains.
- Presence of unauthorised APK files in `/system/app` or `/system/priv-app`.
## Associated Threat Actors
- While specific attribution to a known APT group is ongoing, the tool is linked to the operators of world-class prolific Android botnets (frequently associated with "commercial" malware operations and large-scale data harvesting).
## Detection Methods
- **Signature-based detection:** Scanning the `/system` partition for known Keenadu bytecode sequences.
- **Behavioral detection:** Monitoring for unauthorized attempts to access sensitive system APIs or unusual traffic patterns radiating from system processes.
- **YARA Rule Strategy:** Target the unique encryption routines used by the malware for its configuration files and C2 communication strings.
## Mitigation Strategies
- **Supply Chain Integrity:** Purchase devices only from reputable manufacturers and official retailers to avoid "pre-infected" firmware.
- **Firmware Verification:** Use tools to verify the integrity of the Android system partition against official OEM hashes.
- **Disable Unknown Sources:** Ensure the installation of apps from "Unknown Sources" is disabled in settings.
- **Regular Updates:** Keep the Android security patch level up to date to mitigate vulnerabilities used for privilege escalation.
## Related Tools/Techniques
- **Triada:** Another sophisticated Android trojan that pioneered system-level integration.
- **Guerrilla:** Linked botnet malware used for ad-fraud and data theft.
- **Firmware Backdooring:** The general technique of modifying ROM images to include persistent malicious code.