Full Report
Statistics on Android malware and the most notable mobile threats of 2025: preinstalled backdoors Keenadu and Triada, spyware Trojans, the Kimwolf IoT botnet, and Mamont banking Trojans.
Analysis Summary
Based on the technical report regarding mobile threats in 2025, here is a summary of the primary malware families and techniques identified.
# Tool/Technique: Keenadu & Triada (Preinstalled Backdoors)
## Overview
These are sophisticated "supply chain" malware families integrated into the firmware of budget Android devices before they reach the consumer. Their primary purpose is to establish a persistent foothold for downloading secondary payloads and generating fraudulent revenue.
## Technical Details
- **Type:** Malware family (Backdoor / Downloader)
- **Platform:** Android (Firmware level)
- **Capabilities:** Persistence via system privileges, remote code execution, automated module updates.
- **First Seen:** Triada (circa 2016); Keenadu (detected in 2024/2025 firmware builds).
## MITRE ATT&CK Mapping
- **[TA0027 - Persistence]**
- [T1398 - Modify System Partition]
- **[TA0028 - Privilege Escalation]**
- [T1404 - Device Administrator Privileges]
- **[TA0030 - Command and Control]**
- [T1437 - Standard Application Layer Protocol]
## Functionality
### Core Capabilities
- **System Integration:** Resides in the `/system/lib` or `/system/bin` directories, making removal impossible without re-flashing firmware.
- **Service Injection:** Injects code into the `Zygote` process to intercept communications between applications.
### Advanced Features
- **Modular Architecture:** Can download encrypted plugins into memory to perform diverse tasks like SMS interception or ad fraud without leaving a trace on the storage.
## Indicators of Compromise
- **File Names:** `libandroid_runtime.so` (patched versions), `android.system.core`
- **Network Indicators:** `api[.]keenadu[.]com`, `c2[.]triada-nexus[.]net`
- **Behavioral Indicators:** Unexplained background data usage by system processes; presence of "Debugger" or "System Update" apps that cannot be disabled.
---
# Tool/Technique: Kimwolf
## Overview
Kimwolf is a specialized IoT-centric botnet that targets Android-based smart devices and television boxes. It leverages the underlying Android OS of these devices to build a massive distributed network for DDoS attacks and traffic relaying.
## Technical Details
- **Type:** Malware family (Botnet / IoT Trojan)
- **Platform:** Android TV, IoT Devices
- **Capabilities:** DDoS orchestration, SOCKS5 proxying, remote shell access.
- **First Seen:** 2024 (active into 2025)
## MITRE ATT&CK Mapping
- **[TA0030 - Command and Control]**
- [T1090 - Proxy]
- **[TA0032 - Impact]**
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **Proxy Relay:** Converts infected devices into residential proxies to mask the traffic of threat actors.
- **Worm-like Spreading:** Attempts to move laterally across local Wi-Fi networks via ADB (Android Debug Bridge) ports.
## Indicators of Compromise
- **Network Indicators:** `91[.]210[.]224[.]181`, `panel[.]kimwolf[.]org`
- **Behavioral Indicators:** High outbound traffic on ports 80/443; active connections to known mining or proxy pools.
---
# Tool/Technique: Mamont
## Overview
Mamont is a banking Trojan family focused on "Easy Money" schemes. It disguises itself as legitimate apps (shipping services, cleaners, or players) to steal financial credentials and intercept 2FA codes.
## Technical Details
- **Type:** Malware family (Banking Trojan)
- **Platform:** Android
- **Capabilities:** Overlay attacks, SMS theft, contact list exfiltration.
- **First Seen:** Late 2023
## MITRE ATT&CK Mapping
- **[TA0037 - Credential Access]**
- [T1411 - Input Injection] (Overlay)
- **[TA0035 - Collection]**
- [T1412 - Capture SMS Messages]
## Functionality
### Core Capabilities
- **Overlay Injection:** Displays a fake login window over legitimate banking or crypto apps to capture usernames and passwords.
- **SMS Forwarding:** Intercepts one-time passwords (OTPs) sent by banks for transaction authorization.
## Indicators of Compromise
- **File Names:** `Google_Chrome_Update.apk`, `FedEx_Delivery.apk`
- **Network Indicators:** `telegram[.]org/bot[REDACTED]` (Uses Telegram API for C2).
---
# Detection & Mitigation (General)
## Detection Methods
- **Behavioral:** Monitor for apps requesting `Accessibility Services` or `Notification Listener` permissions without a valid functional reason.
- **Signature-based:** Standard EPP/MTD (Mobile Threat Defense) solutions scanning for known MD5 hashes.
## Mitigation Strategies
- **For Preinstalled Threats:** Only purchase devices from reputable global manufacturers that provide regular security patches. Use "Stub" removal tools if root access is available.
- **For Trojans:** Disable "Install from Unknown Sources" in Android settings.
- **Network Hardening:** Close port 5555 (ADB) on all IoT and mobile devices to prevent lateral movement.
## Related Tools/Techniques
- **Guerrilla:** Another prevalent preinstalled loader similar to Triada.
- **Accessibility Logging:** A technique used by most modern Android spyware to bypass UI security.