Researchers at Kaspersky have analyzed a recently discovered Android malware that enables its operators to remotely control compromised devices.
Dubbed Keenadu, the backdoor has been found in the firmware of various Android device brands, particularly tablets.
While in some cases the malware appears to have been injected into the firmware during development, it has also been delivered to devices via OTA firmware updates.
The malware gives its operators full control of the infected device, but it seems to be mainly used for ad fraud. Kaspersky researchers have seen Keenadu payloads designed to hijack browser search engines, monetize new app installs, and click on ads.
In many cases the malware was preinstalled on devices, but the security firm has also seen it being distributed through various application stores (including Google Play and Xiaomi GetApps) disguised as smart camera apps. The fake applications identified by Kaspersky on Google Play were downloaded more than 300,000 times before they were removed.
The security firm’s products have detected Keenadu malware infections on roughly 13,000 devices, mainly in Russia, Japan, Germany, Brazil, and the Netherlands.
“A copy of the backdoor is loaded into the address space of every app upon launch,” Kaspersky explained, adding, “In certain firmware builds, Keenadu was integrated directly into critical system utilities, including the facial recognition service, the launcher app, and others.”
The researchers have found links between Keenadu and several massive botnets largely powered by low-cost Android devices, including Triada, Vo1d, and BadBox.
As with the other botnets, evidence indicates that Keenadu has Chinese origins.
“Several of the largest Android botnets are interacting with one another,” Kaspersky said. “Currently, we have confirmed links between Triada, Vo1d, and BadBox, as well as the connection between Keenadu and BadBox.”
“It is important to emphasize that these connections are not necessarily transitive,” the company added. “For example, the fact that both Triada and Keenadu are linked to BadBox does not automatically imply that Triada and Keenadu are directly connected; such a claim would require separate evidence. However, given the current landscape, we would not be surprised if future reports provide the evidence needed to prove the transitivity of these relationships.”
Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques
Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
Related: ‘Kimwolf’ Android Botnet Ensnares 1.8 Million Devices
