← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Android devices ship with firmware-level malware
WHITE PetrP.73 2026-03-24 Modified: 2026-04-23
35
IOCs
MEDIUM VOLUME
Keenadu malware is a significant cyber threat targeting Android devices, identified by SophosLabs analysts in late February 2026. This malware operates as a firmware-level backdoor embedded within the libandroid_runtime.so library, enabling attackers to take full control of infected devices. By injecting itself into the Zygote process, which serves as the parent for all Android applications, Keenadu ensures its presence across all apps on the compromised device. The payload can function as a downloader for various malicious modules aimed at extracting data from applications or facilitating ad fraud.
c2 serverdomain namearmorkeenaduip addressbold k50sha256 hashg84 firmwaresha1armor x13
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (5 / 35 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 34a0236b5c7b47577be4501e2c18908916ef9ec22032a6ea41b0ecceaf4e8d8a 2026-03-24
FileHash-SHA256 52db1f284a0dccbb750314cf765131a17a8284a2aeea04701a2b71f35fb9d9ee SHA256 of 7db58b72a3493a86e847c3685eca74c690d50b55 2026-03-24
FileHash-SHA256 ab6d744dccf4c6266474df4b8aa3be6ae5663dbee39c579a552a4cfa1c1d12fd 2026-03-24
FileHash-SHA256 cdf1d41d732ba882184060933bec2c1f4b8eefc081c06471132a690f2205da31 2026-03-24
FileHash-SHA256 da1c7f53add0abaa8a49b773e5cea9c9171799f644ec24e366aaf7ce29962a11 SHA256 of c33b025bac789d3742278f784377fc36f83fd1ff 2026-03-24
References (1)
↗ https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware