Malware News Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets

[Khushal]

Content source

https://securelist.com/keenadu-android-backdoor/118913/

It's here! The full Keenadu research is now live!
Keenadu is a firmware-level Android backdoor that injects into Zygote via a malicious libandroid_runtime.so, enabling plug-and-play modules to exfiltrate data, hijack ads, and control devices across multiple botnets including Triada, BADBOX, and Vo1d.

This Android malware spreads through 3 vectors: preinstalled on new devices, hidden in system apps, and inside usual apps, either from official stores or from APK files.
Full research live now on Securelist: Keenadu the tablet conqueror and the links between major Android botnets

 

[Bot]

This looks like a supply-chain / preinstallation-style Android threat (i.e., living in or alongside system components), which is a very different cleanup problem than a typical “bad app” you can just uninstall.

Why this matters (based on the Securelist write-up you linked)

• If a backdoor is injected into core Android runtime paths (e.g., around Zygote / framework libraries), it can gain persistence and broad control over apps and data flows.
• “Preinstalled on new devices” / “embedded in system apps” scenarios often mean a normal factory reset is not a reliable remediation, because you may be restoring the same compromised system image.
• These campaigns commonly monetize via ad fraud and data collection, but the access level described also enables much more serious actions (command execution via modules, device control, staged payloads).

Practical guidance for users/admins

• Treat factory reset as insufficient if you suspect system-image compromise. The safer options are:
  • Apply official OTA updates from the OEM (if the vendor is reputable and still supports the device).
  • Reflash with official factory images/firmware from the OEM (where available and verifiable).
  • If the device is low-end/grey-market/unbranded or lacks trustworthy update channels, replacement is often the only high-confidence fix.
• Avoid “unknown brand” Android boxes/tablets/phones for sensitive use. Supply-chain malware disproportionately affects cheap devices with weak QA and no long-term patching.
• Reduce exposure paths:
  • Disable “Install unknown apps” / sideloading unless you absolutely need it.
  • Use Google Play + Play Protect (not perfect, but it helps against many commodity droppers).
  • Keep Android and Google Play system updates current.
• Enterprise checks (if this is in an org):
  • Use MDM/Android Enterprise and require device integrity signals (Play Integrity / hardware-backed attestation where possible).
  • Restrict enrollment to approved models/serials and vendors.
  • Monitor DNS/HTTP(S) egress for suspicious beaconing; block known bad infra when IOCs are available.

If someone thinks they are affected

• Stop using the device for banking/2FA/secrets until it’s remediated.
• Back up only what you must (photos/docs), but avoid backing up and restoring APKs/apps wholesale.
• Change passwords from a known-clean device, and rotate tokens where possible (email, primary accounts, authenticator backups).
• Plan for reflash or device replacement as the “clean” endpoint.

If you want this thread to be actionable, the most useful add-on is posting any IOCs (domains, package names, hashes, affected models/firmware builds) from the Securelist article so members can cross-check against traffic/logs and discuss detection/containment safely.

 

[Halp2001]

The most unsettling part, apart from the malware, is the feeling that the ground is already prepared before the user even turns on the device. A “new” phone arriving with invisible guests makes trust the first casualty. In the end, what’s exposed is not just a technical vulnerability, but the fragility of the entire chain that was supposed to protect us.

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1195.003
Supply Chain Compromise: Hardware Dependencies

T1543
Create or Modify System Process (Zygote and system_server hooks)

T1562.001
Impair Defenses: Disable or Modify Tools (bypassing Android permissions)

T1111
Two-Factor Authentication Interception (via Google Chrome search hijacking and credential theft modules)

CVE Profile
None Assigned [CISA KEV Status: Inactive].

Telemetry

Hashes
ca98ae7ab25ce144927a46b7fee6bd21
(MD5 of libVndxUtils.a)

f0184f6955479d631ea4b1ea0f38a35d
(Nova Clicker module)

Network
keepgo123[.]com
gsonx[.]com
zcnewy[.]com
trends.search-hub[.]cn
67.198.232[.]4
67.198.232[.]187.

Registry/Strings
Decryption is heavily reliant on MD5 hashes of specific strings, such as "ota.host.ba60d29da7fd4794b5c5f732916f7d5c" or "37d9a33df833c0d6f11f1b8079aaa2dc", using an initialization vector of "0102030405060708". The magic bytes "encrypttag" are used for payload verification.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Enforce strict supply-chain risk management (SCRM) policies prohibiting the procurement or BYOD integration of low-cost, unvetted Android devices (specifically noted: Alldocube models like iPlay 50 mini Pro and TCT content center variants).

DETECT (DE) – Monitoring & Analysis

Command
Implement network-layer blocking and alert generation for DNS queries to keepgo123[.]com, gsonx[.]com, and zcnewy[.]com.

Command
Monitor for anomalous HTTP POST requests to URI paths ending in /ak/api/pts/v4 and /ota/api/tasks/v3.

RESPOND (RS) – Mitigation & Containment

Command
Isolate any Android device exhibiting unauthorized ad traffic, search engine hijacking in Google Chrome, or unexpected app installations.

RECOVER (RC) – Restoration & Trust

Command
Standard factory resets are ineffective due to system-partition infection. Quarantine hardware until vendor-verified clean firmware is flashed via physical USB connection.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Audit corporate Google Play accounts to ensure no applications related to "smart cameras" containing the com.arcsoft.closeli.service.KucopdInitService package are installed.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you experience mysterious audio playback, sudden unauthorized e-commerce cart additions, or hijacked browser searches on a budget tablet.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset all passwords (especially Google, Facebook, Amazon, and Telegram) using a known clean device, as Keenadu payloads have targeted credential exfiltration on these apps.

Priority 3: Persistence

Command
Since the malware resides in the read-only system partition (libandroid_runtime.so), a standard factory reset will not work. Discontinue using the device until the manufacturer issues a known clean firmware update, or manually flash clean firmware if technically capable. Remove any suspicious apps recently downloaded from the Google Play Store (e.g., com.taismart.global).

Hardening & References

Baseline
CIS Benchmarks for Mobile Devices.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Kaspersky Securelist

Federal Bureau of Investigation (FBI / IC3 PSA