Merge pull request #1915 from HackTricks-wiki/update_Keenadu__Android_firmware-level_backdoor_embedded__20260218_185703

carlospolop · web-flow · commit ffeb6d528004 · 2026-03-04T09:51:39.000+01:00
Keenadu Android firmware-level backdoor embedded in libandro...
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -376,6 +376,7 @@
   - [Drozer Tutorial](mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md)
     - [Exploiting Content Providers](mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
   - [Exploiting a debuggeable application](mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
+  - [Firmware Level Zygote Backdoor Libandroid Runtime](mobile-pentesting/android-app-pentesting/firmware-level-zygote-backdoor-libandroid_runtime.md)
   - [Flutter](mobile-pentesting/android-app-pentesting/flutter.md)
   - [Frida Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/README.md)
     - [Frida Tutorial 1](mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md)
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md
@@ -80,7 +80,7 @@ abusing-android-media-pipelines-image-parsers.md
 {{#endref}}
 
 {{#ref}}
-../../binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md
+firmware-level-zygote-backdoor-libandroid_runtime.md
 {{#endref}}
 
 ## Static Analysis
diff --git a/src/mobile-pentesting/android-app-pentesting/firmware-level-zygote-backdoor-libandroid_runtime.md b/src/mobile-pentesting/android-app-pentesting/firmware-level-zygote-backdoor-libandroid_runtime.md
@@ -0,0 +1,52 @@
+# Firmware-level Android Backdoor via libandroid_runtime Zygote Injection
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+Supply-chain tampering of `/system/lib[64]/libandroid_runtime.so` can hijack `android.util.Log.println_native` so that **every app forked from Zygote executes attacker code**. The Keenadu backdoor adds a single call inside `println_native` that drives a native dropper. Because all app processes run this code, Android sandbox boundaries and per-app permissions are effectively bypassed.
+
+## Dropper path: native patch → RC4 → DexClassLoader
+- Hooked entry: extra call inside `println_native` to `__log_check_tag_count` (injected static lib `libVndxUtils.a`).
+- Payload storage: RC4-decrypt blob embedded in the `.so`, drop to `/data/dalvik-cache/arm[64]/system@framework@vndx_10x.jar@classes.jar`.
+- Load & execute: `DexClassLoader` loads the jar and invokes `com.ak.test.Main.main`. Runtime logs use tag `AK_CPP` (triage artifact).
+- Anti-analysis: aborts in Google/Sprint/T-Mobile system apps or if kill-switch files exist.
+- Zygote role split:
+  - In `system_server` → instantiate `AKServer`.
+  - In any other app → instantiate `AKClient`.
+
+## Binder-based client/server backdoor
+- `AKServer` (running in `system_server`) sends protected broadcasts:
+  - `com.action.SystemOptimizeService` → binder interface for clients.
+  - `com.action.SystemProtectService` → binder interface for downloaded modules.
+- `AKClient` (inside every app) receives the interface via broadcast and performs an `attach` transaction, handing an IPC wrapper so the server can load arbitrary DEX **inside the current app process**.
+- Exposed privileged operations (via `SystemProtectService`): grant/revoke any permission for any package, retrieve geolocation, and exfiltrate device info. This centralizes privilege bypass while still executing code in chosen target apps (Chrome, YouTube, launcher, shopping apps, etc.).
+
+## C2 staging, crypto, and gating
+- Host discovery: Base64 → gzip → AES-128-CFB decrypt with key `MD5("ota.host.ba60d29da7fd4794b5c5f732916f7d5c")`, IV `"0102030405060708"`.
+- Victim registration: collect IMEI/MAC/model/OS, encrypt with key `MD5("ota.api.bbf6e0a947a5f41d7f5226affcfd858c")`, POST to `/ak/api/pts/v4` with params `m=MD5(IMEI)` and `n=w|m` (network type). Response `data` is encrypted identically.
+- Activation delay: C2 serves modules only after ~2.5 months from an "activation time" in the request, frustrating sandbox detonations.
+- Module container (proprietary):
+```
+struct KeenaduPayload {
+    int32_t  version;
+    uint8_t  padding[0x100];
+    uint8_t  salt[0x20];
+    KeenaduChunk config;   // size + data
+    KeenaduChunk payload;  // size + data
+    KeenaduChunk signature;// size + data
+} __packed;
+```
+  - Integrity: MD5 file check + DSA signature (only operator with private key can issue modules).
+  - Decryption: AES-128-CFB, key `MD5("37d9a33df833c0d6f11f1b8079aaa2dc" + salt)`, IV `"0102030405060708"`.
+
+## Persistence & forensic tips
+- Supply chain placement: malicious static lib `libVndxUtils.a` linked into `libandroid_runtime.so` during build (e.g., `vendor/mediatek/proprietary/external/libutils/arm[64]/libVndxUtils.a`).
+- Firmware auditing: firmware images ship as Android Sparse `super.img`; use `lpunpack` (or similar) to extract partitions and inspect `libandroid_runtime.so` for extra calls in `println_native`.
+- On-device artifacts: presence of `/data/dalvik-cache/arm*/system@framework@vndx_10x.jar@classes.jar`, logcat tag `AK_CPP`, or protected broadcasts named `com.action.SystemOptimizeService`/`com.action.SystemProtectService` indicate compromise.
+
+## References
+- [Keenadu firmware backdoor analysis](https://securelist.com/keenadu-android-backdoor/118913/)
+- [lpunpack utility for Android sparse images](https://github.com/unix3dgforce/lpunpack)
+
+{{#include ../../banners/hacktricks-training.md}}
