Firmware-level Android Backdoor via libandroid_runtime Zygote Injection

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Overview

Supply-chain tampering of /system/lib[64]/libandroid_runtime.so can hijack android.util.Log.println_native so that every app forked from Zygote executes attacker code. The Keenadu backdoor adds a single call inside println_native that drives a native dropper. Because all app processes run this code, Android sandbox boundaries and per-app permissions are effectively bypassed.

Dropper path: native patch β†’ RC4 β†’ DexClassLoader

  • Hooked entry: extra call inside println_native to __log_check_tag_count (injected static lib libVndxUtils.a).
  • Payload storage: RC4-decrypt blob embedded in the .so, drop to /data/dalvik-cache/arm[64]/system@framework@vndx_10x.jar@classes.jar.
  • Load & execute: DexClassLoader loads the jar and invokes com.ak.test.Main.main. Runtime logs use tag AK_CPP (triage artifact).
  • Anti-analysis: aborts in Google/Sprint/T-Mobile system apps or if kill-switch files exist.
  • Zygote role split:
    • In system_server β†’ instantiate AKServer.
    • In any other app β†’ instantiate AKClient.

Binder-based client/server backdoor

  • AKServer (running in system_server) sends protected broadcasts:
    • com.action.SystemOptimizeService β†’ binder interface for clients.
    • com.action.SystemProtectService β†’ binder interface for downloaded modules.
  • AKClient (inside every app) receives the interface via broadcast and performs an attach transaction, handing an IPC wrapper so the server can load arbitrary DEX inside the current app process.
  • Exposed privileged operations (via SystemProtectService): grant/revoke any permission for any package, retrieve geolocation, and exfiltrate device info. This centralizes privilege bypass while still executing code in chosen target apps (Chrome, YouTube, launcher, shopping apps, etc.).

C2 staging, crypto, and gating

  • Host discovery: Base64 β†’ gzip β†’ AES-128-CFB decrypt with key MD5("ota.host.ba60d29da7fd4794b5c5f732916f7d5c"), IV "0102030405060708".
  • Victim registration: collect IMEI/MAC/model/OS, encrypt with key MD5("ota.api.bbf6e0a947a5f41d7f5226affcfd858c"), POST to /ak/api/pts/v4 with params m=MD5(IMEI) and n=w|m (network type). Response data is encrypted identically.
  • Activation delay: C2 serves modules only after ~2.5 months from an β€œactivation time” in the request, frustrating sandbox detonations.
  • Module container (proprietary):
struct KeenaduPayload {
    int32_t  version;
    uint8_t  padding[0x100];
    uint8_t  salt[0x20];
    KeenaduChunk config;   // size + data
    KeenaduChunk payload;  // size + data
    KeenaduChunk signature;// size + data
} __packed;
  • Integrity: MD5 file check + DSA signature (only operator with private key can issue modules).
  • Decryption: AES-128-CFB, key MD5("37d9a33df833c0d6f11f1b8079aaa2dc" + salt), IV "0102030405060708".

Persistence & forensic tips

  • Supply chain placement: malicious static lib libVndxUtils.a linked into libandroid_runtime.so during build (e.g., vendor/mediatek/proprietary/external/libutils/arm[64]/libVndxUtils.a).
  • Firmware auditing: firmware images ship as Android Sparse super.img; use lpunpack (or similar) to extract partitions and inspect libandroid_runtime.so for extra calls in println_native.
  • On-device artifacts: presence of /data/dalvik-cache/arm*/system@framework@vndx_10x.jar@classes.jar, logcat tag AK_CPP, or protected broadcasts named com.action.SystemOptimizeService/com.action.SystemProtectService indicate compromise.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks