Keenadu Android firmware-level backdoor embedded in libandro...#1915
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Keenadu Android firmware-level backdoor embedded in libandro...#1915carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://securelist.com/keenadu-android-backdoor/118913/ Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new page: "Firmware-level backdoors / Zygote-wide injection via libandroid_runtime.so"; also cross-link from Reversing or Android OS internals if present)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Scope
Kaspersky analyzes Keenadu, an Android firmware-level backdoor inserted during the firmware build phase (supply-chain compromise). The key technical property is that the implant is embedded into a core OS library,
/system/lib/libandroid_runtime.soand/system/lib64/libandroid_runtime.so, causing malicious code to be loaded into the address space of every app process at runtime (via Zygote), effectively nullifying Androi...🔧 Technical Details
Backdooring a core Android runtime library function that is universally reachable (e.g., patching
android.util.Log.println_nativeinsidelibandroid_runtime.so) provides reliable code execution in every app process forked from Zygote. A native stub can decrypt an embedded second stage (e.g., RC4), persist it at a plausible dalvik-cache path, and execute it withDexClassLoader(Java entrypoint likecom.ak.test.Main), bypassing app sandbox boundaries by running inside each target app context.Implementing a malicious system-service model by running a server component in
system_server(AKServer) and exposing binder interfaces to per-app clients (AKClient) via protected broadcasts (e.g.,com.action.SystemOptimizeService,com.action.SystemProtectService) enables centralized command and control. Clients canattachvia binder and pass an IPC wrapper so the server can load arbitrary DEX into selected target apps, while a second interface allows privileged operations suc...🤖 Agent Actions
Updated HackTricks with a new Android firmware backdoor page detailing Zygote-wide execution via patched
libandroid_runtime.so, RC4-to-DexClassLoader dropper flow, binder-based AKClient/AKServer architecture, C2 crypto/activation gating, supply-chain persistence, and forensic indicators. Linked the new page from the Android app pentesting case studies section.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.