The tablet conqueror and the links between major Android botnets
A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.
AI Analysis
Technical Summary
Keenadu is a newly discovered Android backdoor that compromises tablets by infecting the libandroid_runtime.so library during the firmware build process. This infection method ensures that the malicious code is injected into every application launched on the device, granting attackers persistent and unrestricted control. The primary motive appears to be ad fraud, leveraging infected devices to generate fraudulent ad revenue. Keenadu is linked to other prominent Android botnets such as Triada, BADBOX, and Vo1d, suggesting shared codebases or coordinated operations. The malware has been embedded in system-level applications, legitimate Google Play apps, and modified versions of popular apps, indicating a multi-vector infection strategy. Over 13,000 devices worldwide have been compromised, with notable infection clusters in Russia, Japan, Germany, Brazil, and the Netherlands. The infection at the firmware level represents a sophisticated supply chain attack, complicating detection and remediation efforts. Although no active exploits are currently reported, the threat leverages advanced persistence techniques and can evade traditional security controls. The malware's capabilities include code injection (T1059.004), credential dumping or input capture (T1056.001), and system firmware manipulation (T1542.003), highlighting its advanced operational tactics. This threat underscores the risks inherent in firmware supply chains and the challenges in securing Android devices against deeply embedded malware.
Potential Impact
For European organizations, particularly those in Germany and the Netherlands where infections are significant, Keenadu poses several risks. Infected tablets can be used as part of botnets to conduct large-scale ad fraud, potentially implicating organizations in fraudulent activities and causing reputational damage. The unrestricted control granted by the backdoor could allow attackers to exfiltrate sensitive data, monitor user activity, or pivot to other networked systems, increasing the risk of broader compromise. The firmware-level infection complicates detection and removal, potentially leading to prolonged presence on devices and increased operational disruption. Organizations relying on tablets for business-critical functions may face availability issues if devices are repurposed or disabled by attackers. Additionally, the presence of Keenadu in system and popular apps raises concerns about the integrity of software supply chains and the trustworthiness of device vendors. This threat could also impact compliance with European data protection regulations if personal data is compromised or misused.
Mitigation Recommendations
European organizations should implement rigorous firmware integrity verification processes, including cryptographic validation of firmware images before deployment. Establishing trusted supply chain relationships with device manufacturers and demanding transparency about firmware build processes can reduce infection risks. Employ mobile device management (MDM) solutions capable of detecting unusual app behavior or unauthorized code injection. Regularly audit installed applications, especially system and pre-installed apps, for unauthorized modifications. Employ network monitoring to detect anomalous traffic patterns indicative of ad fraud or command and control communications. Educate users on the risks of installing modified or unofficial apps, even from trusted sources like Google Play. Collaborate with device vendors to obtain firmware updates or patches that remove the Keenadu backdoor. In environments with high security requirements, consider isolating tablet devices from sensitive networks or limiting their use to reduce attack surface. Finally, maintain up-to-date threat intelligence feeds to monitor developments related to Keenadu and associated botnets.
Affected Countries
Germany, Netherlands, Russia, Japan, Brazil
Indicators of Compromise
- hash: 02c4c7209b82bbed19b962fb61ad2de3
- hash: 07546413bdcb0e28eadead4e2b0db59d
- hash: 0bc94bc4bc4d69705e4f08aaf0e976b3
- hash: 0c1f61eeebc4176d533b4fc0a36b9d61
- hash: 10d8e8765adb1cbe485cb7d7f4df21e4
- hash: 11eaf02f41b9c93e9b3189aa39059419
- hash: 1276480838340dcbc699d1f32f30a5e9
- hash: 15fb99660dbd52d66f074eaa4cf1366d
- hash: 185220652fbbc266d4fdf3e668c26e59
- hash: 19df24591b3d76ad3d0a6f548e608a43
- hash: 1bfb3edb394d7c018e06ed31c7eea937
- hash: 1c52e14095f23132719145cf24a2f9dc
- hash: 21846f602bcabccb00de35d994f153c9
- hash: 2419583128d7c75e9f0627614c2aa73f
- hash: 28e6936302f2d290c2fec63ca647f8a6
- hash: 2922df6713f865c9cba3de1fe56849d7
- hash: 2dca15e9e83bca37817f46b24b00d197
- hash: 350313656502388947c7cbcd08dc5a95
- hash: 36db58957342024f9bc1cdecf2f163d6
- hash: 37d9a33df833c0d6f11f1b8079aaa2dc
- hash: 382764921919868d810a5cf0391ea193
- hash: 3d185f30b00270e7e30fc4e29a68237f
- hash: 3dae1f297098fa9d9d4ee0335f0aeed3
- hash: 3e36ffda0a946009cb9059b69c6a6f0d
- hash: 45bf58973111e00e378ee9b7b43b7d2d
- hash: 462a23bc22d06e5662d379b9011d89ff
- hash: 4964743c742bb899527017b8d06d4eaa
- hash: 4c4ca7a2a25dbe15a4a39c11cfef2fb2
- hash: 5048406d8d0affa80c18f8b1d6d76e21
- hash: 529632abf8246dfe555153de6ae2a9df
- hash: 56036c2490e63a3e55df4558f7ecf893
- hash: 58f282540ab1bd5ccfb632ef0d273654
- hash: 59aee75ece46962c4eb09de78edaa3fa
- hash: 5b0726d66422f76d8ba4fbb9765c68f6
- hash: 64947d3a929e1bb860bf748a15dba57c
- hash: 65f290dd99f9113592fba90ea10cb9b3
- hash: 68990fbc668b3d2cfbefed874bb24711
- hash: 68b64bf1dea3eb314ce273923b8df510
- hash: 69225f41dcae6ddb78a6aa6a3caa82e1
- hash: 6d93fb8897bf94b62a56aca31961756a
- hash: 6df8284a4acee337078a6a62a8b65210
- hash: 6f6e14b4449c0518258beb5a40ad7203
- hash: 7882796fdae0043153aa75576e5d0b35
- hash: 7c3e70937da7721dd1243638b467cff1
- hash: 7ceccea499cfd3f9f9981104fc05bcbd
- hash: 8900f5737e92a69712481d7a809fcfaa
- hash: 8d493346cb84fbbfdb5187ae046ab8d3
- hash: 912bc4f756f18049b241934f62bfb06c
- hash: 9195454da9e2cb22a3d58dbbf7982be8
- hash: 98ff5a3b5f2cdf2e8f58f96d70db2875
- hash: 9d16a10031cddd222d26fcb5aa88a009
- hash: 9ddd621daab4c4bc811b7c1990d7e9ea
- hash: a0f775dd99108cb3b76953e25f5cdae4
- hash: a191b683a9307276f0fc68a2a9253da1
- hash: a4a6ff86413b3b2a893627c4cff34399
- hash: aa5bf06f0cc5a8a3400e90570fb081b0
- hash: ad60f46e724d88af6bcacb8c269ac3c1
- hash: b163fa76bde53cd80d727d88b7b1d94f
- hash: b841debc5307afc8a4592ea60d64de14
- hash: ba0a349f177ffb3e398f8c780d911580
- hash: ba60d29da7fd4794b5c5f732916f7d5c
- hash: bba23f4b66a0e07f837f2832a8cd3bd4
- hash: bbf6e0a947a5f41d7f5226affcfd858c
- hash: bccd56a6b6c9496ff1acd40628edd25e
- hash: c4c0e65a5c56038034555ec4a09d3a37
- hash: c57de69b401eb58c0aad786531c02c28
- hash: ca59e49878bcf2c72b99d15c98323bcd
- hash: ca98ae7ab25ce144927a46b7fee6bd21
- hash: caa640824b0e216fab86402b14447953
- hash: cb9f86c02f756fb9afdb2fe1ad0184ee
- hash: d07eb2db2621c425bda0f046b736e372
- hash: d4be9b2b73e565b1181118cb7f44a102
- hash: d6ebc5526e957866c02c938fc01349ee
- hash: d840a70f2610b78493c41b1a344b6893
- hash: d9aecc9d4bf1d4b39aa551f3a1bcc6b7
- hash: dc3d454a7edb683bec75a6a1e28a4877
- hash: e9bed47953986f90e814ed5ed25b010c
- hash: ec7ab99beb846eec4ecee232ac0b3246
- hash: ef119626a3b07f46386e65de312cf151
- hash: f0184f6955479d631ea4b1ea0f38a35d
- hash: f53c6ee141df2083e0200a514ba19e32
- hash: f59ad0c8e47228b603efc0ff790d4a0c
- hash: f9b740dd08df6c66009b27c618f1e086
- hash: fcaeadbee39fddc907a3ae0315d86178
- hash: 2c96165dddc7e17ade9989ad3d0fcd0413ce7927
- hash: 6afa9e4bf8a92f11d73fbe19d334ca078e6f0ed5
- hash: 74e4aa22a80f721a56922e8e3fb10fbe8b354d81
- hash: 74e4c015ad78830358534c40ce519513f0a1ed7a
- hash: fee14bdd817e898642af6b6178d122b007187fb9
- hash: 26971fdd34cda3ea13f5473b4ed49c6b9600b7e8e9222e9f6f778ec3f0725c09
- hash: 3c2091a18d0ecbcc69517138173262420ab01bb25de74c99672fa1349b8e7c87
- hash: 6d806746e42c268bcbf616115b5a44be46584c9bae38e1d97e1ed6419c010767
- hash: 862775e9d9b522f4534717127a53bfb4e81ee3c974dd23807438ee77fcfccc52
- hash: f325201bc8a9ed91b7eb577ae5964876fa3884ca38ed5a3516ee3cb64f29c4a5
- url: https://trends.search-hub.cn/vuGs8
- domain: aifacecloud.com
- domain: fbgraph.com
- domain: fbsimg.com
- domain: glogstatic.com
- domain: gstatic2.com
- domain: gvvt1.com
- domain: sliidee.com
- domain: tmgstatic.com
- domain: uscelluliar.com
- domain: ytimg2.com
- domain: pkg-czu.istaticfiles.com
- domain: pkgu.istaticfiles.com
- domain: trends.search-hub.cn
The tablet conqueror and the links between major Android botnets
Description
A new Android backdoor called Keenadu has been discovered embedded in the firmware of several tablet brands. It infects the libandroid_runtime.so library during firmware building, injecting itself into every app launched on the device. Keenadu provides attackers unrestricted control over victims' devices, primarily for ad fraud purposes. The investigation revealed connections between Keenadu and other major Android botnets like Triada, BADBOX, and Vo1d. The malware was found in system apps, Google Play apps, and modified versions of popular apps. Over 13,000 users worldwide have been affected, with Russia, Japan, Germany, Brazil and the Netherlands seeing the highest number of infections.
AI-Powered Analysis
Technical Analysis
Keenadu is a newly discovered Android backdoor that compromises tablets by infecting the libandroid_runtime.so library during the firmware build process. This infection method ensures that the malicious code is injected into every application launched on the device, granting attackers persistent and unrestricted control. The primary motive appears to be ad fraud, leveraging infected devices to generate fraudulent ad revenue. Keenadu is linked to other prominent Android botnets such as Triada, BADBOX, and Vo1d, suggesting shared codebases or coordinated operations. The malware has been embedded in system-level applications, legitimate Google Play apps, and modified versions of popular apps, indicating a multi-vector infection strategy. Over 13,000 devices worldwide have been compromised, with notable infection clusters in Russia, Japan, Germany, Brazil, and the Netherlands. The infection at the firmware level represents a sophisticated supply chain attack, complicating detection and remediation efforts. Although no active exploits are currently reported, the threat leverages advanced persistence techniques and can evade traditional security controls. The malware's capabilities include code injection (T1059.004), credential dumping or input capture (T1056.001), and system firmware manipulation (T1542.003), highlighting its advanced operational tactics. This threat underscores the risks inherent in firmware supply chains and the challenges in securing Android devices against deeply embedded malware.
Potential Impact
For European organizations, particularly those in Germany and the Netherlands where infections are significant, Keenadu poses several risks. Infected tablets can be used as part of botnets to conduct large-scale ad fraud, potentially implicating organizations in fraudulent activities and causing reputational damage. The unrestricted control granted by the backdoor could allow attackers to exfiltrate sensitive data, monitor user activity, or pivot to other networked systems, increasing the risk of broader compromise. The firmware-level infection complicates detection and removal, potentially leading to prolonged presence on devices and increased operational disruption. Organizations relying on tablets for business-critical functions may face availability issues if devices are repurposed or disabled by attackers. Additionally, the presence of Keenadu in system and popular apps raises concerns about the integrity of software supply chains and the trustworthiness of device vendors. This threat could also impact compliance with European data protection regulations if personal data is compromised or misused.
Mitigation Recommendations
European organizations should implement rigorous firmware integrity verification processes, including cryptographic validation of firmware images before deployment. Establishing trusted supply chain relationships with device manufacturers and demanding transparency about firmware build processes can reduce infection risks. Employ mobile device management (MDM) solutions capable of detecting unusual app behavior or unauthorized code injection. Regularly audit installed applications, especially system and pre-installed apps, for unauthorized modifications. Employ network monitoring to detect anomalous traffic patterns indicative of ad fraud or command and control communications. Educate users on the risks of installing modified or unofficial apps, even from trusted sources like Google Play. Collaborate with device vendors to obtain firmware updates or patches that remove the Keenadu backdoor. In environments with high security requirements, consider isolating tablet devices from sensitive networks or limiting their use to reduce attack surface. Finally, maintain up-to-date threat intelligence feeds to monitor developments related to Keenadu and associated botnets.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/keenadu-android-backdoor/118913/"]
- Adversary
- Keenadu
- Pulse Id
- 6994616c344268c9e9708b53
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash02c4c7209b82bbed19b962fb61ad2de3 | — | |
hash07546413bdcb0e28eadead4e2b0db59d | — | |
hash0bc94bc4bc4d69705e4f08aaf0e976b3 | — | |
hash0c1f61eeebc4176d533b4fc0a36b9d61 | — | |
hash10d8e8765adb1cbe485cb7d7f4df21e4 | — | |
hash11eaf02f41b9c93e9b3189aa39059419 | — | |
hash1276480838340dcbc699d1f32f30a5e9 | — | |
hash15fb99660dbd52d66f074eaa4cf1366d | — | |
hash185220652fbbc266d4fdf3e668c26e59 | — | |
hash19df24591b3d76ad3d0a6f548e608a43 | — | |
hash1bfb3edb394d7c018e06ed31c7eea937 | — | |
hash1c52e14095f23132719145cf24a2f9dc | — | |
hash21846f602bcabccb00de35d994f153c9 | — | |
hash2419583128d7c75e9f0627614c2aa73f | — | |
hash28e6936302f2d290c2fec63ca647f8a6 | — | |
hash2922df6713f865c9cba3de1fe56849d7 | — | |
hash2dca15e9e83bca37817f46b24b00d197 | — | |
hash350313656502388947c7cbcd08dc5a95 | — | |
hash36db58957342024f9bc1cdecf2f163d6 | — | |
hash37d9a33df833c0d6f11f1b8079aaa2dc | — | |
hash382764921919868d810a5cf0391ea193 | — | |
hash3d185f30b00270e7e30fc4e29a68237f | — | |
hash3dae1f297098fa9d9d4ee0335f0aeed3 | — | |
hash3e36ffda0a946009cb9059b69c6a6f0d | — | |
hash45bf58973111e00e378ee9b7b43b7d2d | — | |
hash462a23bc22d06e5662d379b9011d89ff | — | |
hash4964743c742bb899527017b8d06d4eaa | — | |
hash4c4ca7a2a25dbe15a4a39c11cfef2fb2 | — | |
hash5048406d8d0affa80c18f8b1d6d76e21 | — | |
hash529632abf8246dfe555153de6ae2a9df | — | |
hash56036c2490e63a3e55df4558f7ecf893 | — | |
hash58f282540ab1bd5ccfb632ef0d273654 | — | |
hash59aee75ece46962c4eb09de78edaa3fa | — | |
hash5b0726d66422f76d8ba4fbb9765c68f6 | — | |
hash64947d3a929e1bb860bf748a15dba57c | — | |
hash65f290dd99f9113592fba90ea10cb9b3 | — | |
hash68990fbc668b3d2cfbefed874bb24711 | — | |
hash68b64bf1dea3eb314ce273923b8df510 | — | |
hash69225f41dcae6ddb78a6aa6a3caa82e1 | — | |
hash6d93fb8897bf94b62a56aca31961756a | — | |
hash6df8284a4acee337078a6a62a8b65210 | — | |
hash6f6e14b4449c0518258beb5a40ad7203 | — | |
hash7882796fdae0043153aa75576e5d0b35 | — | |
hash7c3e70937da7721dd1243638b467cff1 | — | |
hash7ceccea499cfd3f9f9981104fc05bcbd | — | |
hash8900f5737e92a69712481d7a809fcfaa | — | |
hash8d493346cb84fbbfdb5187ae046ab8d3 | — | |
hash912bc4f756f18049b241934f62bfb06c | — | |
hash9195454da9e2cb22a3d58dbbf7982be8 | — | |
hash98ff5a3b5f2cdf2e8f58f96d70db2875 | — | |
hash9d16a10031cddd222d26fcb5aa88a009 | — | |
hash9ddd621daab4c4bc811b7c1990d7e9ea | — | |
hasha0f775dd99108cb3b76953e25f5cdae4 | — | |
hasha191b683a9307276f0fc68a2a9253da1 | — | |
hasha4a6ff86413b3b2a893627c4cff34399 | — | |
hashaa5bf06f0cc5a8a3400e90570fb081b0 | — | |
hashad60f46e724d88af6bcacb8c269ac3c1 | — | |
hashb163fa76bde53cd80d727d88b7b1d94f | — | |
hashb841debc5307afc8a4592ea60d64de14 | — | |
hashba0a349f177ffb3e398f8c780d911580 | — | |
hashba60d29da7fd4794b5c5f732916f7d5c | — | |
hashbba23f4b66a0e07f837f2832a8cd3bd4 | — | |
hashbbf6e0a947a5f41d7f5226affcfd858c | — | |
hashbccd56a6b6c9496ff1acd40628edd25e | — | |
hashc4c0e65a5c56038034555ec4a09d3a37 | — | |
hashc57de69b401eb58c0aad786531c02c28 | — | |
hashca59e49878bcf2c72b99d15c98323bcd | — | |
hashca98ae7ab25ce144927a46b7fee6bd21 | — | |
hashcaa640824b0e216fab86402b14447953 | — | |
hashcb9f86c02f756fb9afdb2fe1ad0184ee | — | |
hashd07eb2db2621c425bda0f046b736e372 | — | |
hashd4be9b2b73e565b1181118cb7f44a102 | — | |
hashd6ebc5526e957866c02c938fc01349ee | — | |
hashd840a70f2610b78493c41b1a344b6893 | — | |
hashd9aecc9d4bf1d4b39aa551f3a1bcc6b7 | — | |
hashdc3d454a7edb683bec75a6a1e28a4877 | — | |
hashe9bed47953986f90e814ed5ed25b010c | — | |
hashec7ab99beb846eec4ecee232ac0b3246 | — | |
hashef119626a3b07f46386e65de312cf151 | — | |
hashf0184f6955479d631ea4b1ea0f38a35d | — | |
hashf53c6ee141df2083e0200a514ba19e32 | — | |
hashf59ad0c8e47228b603efc0ff790d4a0c | — | |
hashf9b740dd08df6c66009b27c618f1e086 | — | |
hashfcaeadbee39fddc907a3ae0315d86178 | — | |
hash2c96165dddc7e17ade9989ad3d0fcd0413ce7927 | — | |
hash6afa9e4bf8a92f11d73fbe19d334ca078e6f0ed5 | — | |
hash74e4aa22a80f721a56922e8e3fb10fbe8b354d81 | — | |
hash74e4c015ad78830358534c40ce519513f0a1ed7a | — | |
hashfee14bdd817e898642af6b6178d122b007187fb9 | — | |
hash26971fdd34cda3ea13f5473b4ed49c6b9600b7e8e9222e9f6f778ec3f0725c09 | — | |
hash3c2091a18d0ecbcc69517138173262420ab01bb25de74c99672fa1349b8e7c87 | — | |
hash6d806746e42c268bcbf616115b5a44be46584c9bae38e1d97e1ed6419c010767 | — | |
hash862775e9d9b522f4534717127a53bfb4e81ee3c974dd23807438ee77fcfccc52 | — | |
hashf325201bc8a9ed91b7eb577ae5964876fa3884ca38ed5a3516ee3cb64f29c4a5 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://trends.search-hub.cn/vuGs8 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaifacecloud.com | — | |
domainfbgraph.com | — | |
domainfbsimg.com | — | |
domainglogstatic.com | — | |
domaingstatic2.com | — | |
domaingvvt1.com | — | |
domainsliidee.com | — | |
domaintmgstatic.com | — | |
domainuscelluliar.com | — | |
domainytimg2.com | — | |
domainpkg-czu.istaticfiles.com | — | |
domainpkgu.istaticfiles.com | — | |
domaintrends.search-hub.cn | — |
Threat ID: 6994909f80d747be20bf9d8c
Added to database: 2/17/2026, 4:00:32 PM
Last enriched: 2/17/2026, 4:14:49 PM
Last updated: 2/21/2026, 12:18:06 AM
Views: 629
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-20
MediumAndroid threats using GenAI usher in a new era
MediumMaltrail IOC for 2026-02-20
MediumFBI: $20 Million Losses Caused by 700 ATM Jackpotting Attacks in 2025
MediumPromptSpy Android Malware Abuses Gemini AI at Runtime for Persistence
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.