Backdoor Android a livello firmware via libandroid_runtime Zygote Injection

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks

Panoramica

Manomissione della supply-chain di /system/lib[64]/libandroid_runtime.so può dirottare android.util.Log.println_native in modo che ogni app forkata da Zygote esegua il codice dell’attaccante. Il backdoor Keenadu aggiunge una singola chiamata all’interno di println_native che avvia un dropper nativo. Poiché tutti i processi delle app eseguono questo codice, i confini del sandbox Android e i permessi per singola app sono effettivamente aggirati.

Dropper path: native patch → RC4 → DexClassLoader

  • Hooked entry: chiamata extra dentro println_native a __log_check_tag_count (injected static lib libVndxUtils.a).
  • Payload storage: blob cifrato RC4 incorporato nella .so, drop to /data/dalvik-cache/arm[64]/system@framework@vndx_10x.jar@classes.jar.
  • Load & execute: DexClassLoader loads the jar and invokes com.ak.test.Main.main. Runtime logs use tag AK_CPP (triage artifact).
  • Anti-analysis: aborts in Google/Sprint/T-Mobile system apps or if kill-switch files exist.
  • Zygote role split:
  • In system_server → instantiate AKServer.
  • In any other app → instantiate AKClient.

Binder-based client/server backdoor

  • AKServer (running in system_server) sends protected broadcasts:
  • com.action.SystemOptimizeService → binder interface for clients.
  • com.action.SystemProtectService → binder interface for downloaded modules.
  • AKClient (inside every app) receives the interface via broadcast and performs an attach transaction, handing an IPC wrapper so the server can load arbitrary DEX inside the current app process.
  • Exposed privileged operations (via SystemProtectService): grant/revoke any permission for any package, retrieve geolocation, and exfiltrate device info. This centralizes privilege bypass while still executing code in chosen target apps (Chrome, YouTube, launcher, shopping apps, etc.).

C2 staging, crypto, and gating

  • Host discovery: Base64 → gzip → AES-128-CFB decrypt with key MD5("ota.host.ba60d29da7fd4794b5c5f732916f7d5c"), IV "0102030405060708".
  • Victim registration: collect IMEI/MAC/model/OS, encrypt with key MD5("ota.api.bbf6e0a947a5f41d7f5226affcfd858c"), POST to /ak/api/pts/v4 with params m=MD5(IMEI) and n=w|m (network type). Response data is encrypted identically.
  • Activation delay: C2 serves modules only after ~2.5 months from an “activation time” in the request, frustrating sandbox detonations.
  • Module container (proprietary):
struct KeenaduPayload {
int32_t  version;
uint8_t  padding[0x100];
uint8_t  salt[0x20];
KeenaduChunk config;   // size + data
KeenaduChunk payload;  // size + data
KeenaduChunk signature;// size + data
} __packed;
  • Integrità: MD5 file check + DSA signature (solo l’operatore con la chiave privata può emettere moduli).
  • Decrittazione: AES-128-CFB, key MD5("37d9a33df833c0d6f11f1b8079aaa2dc" + salt), IV "0102030405060708".

Persistenza & consigli forensi

  • Posizionamento nella supply chain: libreria statica malevola libVndxUtils.a collegata a libandroid_runtime.so durante la build (es., vendor/mediatek/proprietary/external/libutils/arm[64]/libVndxUtils.a).
  • Analisi del firmware: le immagini del firmware sono distribuite come Android Sparse super.img; usare lpunpack (o simile) per estrarre le partizioni e ispezionare libandroid_runtime.so per chiamate aggiuntive in println_native.
  • Artefatti sul dispositivo: la presenza di /data/dalvik-cache/arm*/system@framework@vndx_10x.jar@classes.jar, il tag logcat AK_CPP, o broadcast protetti chiamati com.action.SystemOptimizeService/com.action.SystemProtectService indicano compromissione.

References

Tip

Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Impara e pratica il hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Supporta HackTricks