← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Android devices ship with firmware-level malware
WHITE PetrP.73 2026-03-24 Modified: 2026-04-23
35
IOCs
MEDIUM VOLUME
Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.
c2 serverdomain namearmorkeenaduip addressbold k50sha256 hashg84 firmwaresha1armor x13
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (5 / 35 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 11eaf02f41b9c93e9b3189aa39059419 MD5 of 7db58b72a3493a86e847c3685eca74c690d50b55 2026-03-24
FileHash-MD5 3c03168c98ad6111c3aa0a960f8b7eea 2026-03-24
FileHash-MD5 b80b39ed95d54c8c1bf12e35f92e23cc 2026-03-24
FileHash-MD5 cb0d514d86ddfaf4345d25cef064863b 2026-03-24
FileHash-MD5 cd619b4e1e793f96eca877616a741bc1 MD5 of c33b025bac789d3742278f784377fc36f83fd1ff 2026-03-24
References (1)
↗ https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware