Firmware-level Android Backdoor via libandroid_runtime Zygote Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Overview

Kuingilia kati mnyororo wa ugavi wa /system/lib[64]/libandroid_runtime.so inaweza kudukua android.util.Log.println_native hivyo kwamba kila app inayotokana na Zygote inatekeleza msimbo wa mshambuliaji. Backdoor ya Keenadu inaongeza simu moja ndani ya println_native ambayo inaendesha native dropper. Kwa kuwa mchakato wote wa app zinaendesha msimbo huu, mipaka ya Android sandbox na ruhusa za kila-app zinavunjwa kwa ufanisi.

Dropper path: native patch β†’ RC4 β†’ DexClassLoader

  • Hooked entry: extra call inside println_native to __log_check_tag_count (injected static lib libVndxUtils.a).
  • Payload storage: RC4-decrypt blob embedded in the .so, drop to /data/dalvik-cache/arm[64]/system@framework@vndx_10x.jar@classes.jar.
  • Load & execute: DexClassLoader loads the jar and invokes com.ak.test.Main.main. Runtime logs use tag AK_CPP (triage artifact).
  • Anti-analysis: aborts in Google/Sprint/T-Mobile system apps or if kill-switch files exist.
  • Zygote role split:
  • In system_server β†’ instantiate AKServer.
  • In any other app β†’ instantiate AKClient.

Binder-based client/server backdoor

  • AKServer (running in system_server) sends protected broadcasts:
  • com.action.SystemOptimizeService β†’ binder interface for clients.
  • com.action.SystemProtectService β†’ binder interface for downloaded modules.
  • AKClient (inside every app) receives the interface via broadcast and performs an attach transaction, handing an IPC wrapper so the server can load arbitrary DEX inside the current app process.
  • Exposed privileged operations (via SystemProtectService): grant/revoke any permission for any package, retrieve geolocation, and exfiltrate device info. Hii inajaza kivyo vya kupitisha ruhusa huku msimbo ukitekelezwa ndani ya apps walengwa (Chrome, YouTube, launcher, shopping apps, n.k.).

C2 staging, crypto, and gating

  • Host discovery: Base64 β†’ gzip β†’ AES-128-CFB decrypt with key MD5("ota.host.ba60d29da7fd4794b5c5f732916f7d5c"), IV "0102030405060708".
  • Victim registration: collect IMEI/MAC/model/OS, encrypt with key MD5("ota.api.bbf6e0a947a5f41d7f5226affcfd858c"), POST to /ak/api/pts/v4 with params m=MD5(IMEI) and n=w|m (network type). Response data is encrypted identically.
  • Activation delay: C2 serves modules only after ~2.5 months from an β€œactivation time” in the request, frustrating sandbox detonations.
  • Module container (proprietary):
struct KeenaduPayload {
int32_t  version;
uint8_t  padding[0x100];
uint8_t  salt[0x20];
KeenaduChunk config;   // size + data
KeenaduChunk payload;  // size + data
KeenaduChunk signature;// size + data
} __packed;
  • Integrity: MD5 file check + DSA signature (mwendeshaji pekee aliye na private key anaweza kutoa modules).
  • Decryption: AES-128-CFB, key MD5("37d9a33df833c0d6f11f1b8079aaa2dc" + salt), IV "0102030405060708".

Persistence & forensic tips

  • Supply chain placement: maktaba ya static ya hatari libVndxUtils.a imeunganishwa ndani ya libandroid_runtime.so wakati wa build (kwa mfano, vendor/mediatek/proprietary/external/libutils/arm[64]/libVndxUtils.a).
  • Firmware auditing: picha za firmware hutumwa kama Android Sparse super.img; tumia lpunpack (au sawa) kutoa partitions na kuchunguza libandroid_runtime.so kwa wito za ziada katika println_native.
  • On-device artifacts: uwepo wa /data/dalvik-cache/arm*/system@framework@vndx_10x.jar@classes.jar, logcat tag AK_CPP, au protected broadcasts zenye majina com.action.SystemOptimizeService/com.action.SystemProtectService zinaashiria kuingiliwa.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks