In the rapidly evolving landscape of mobile threats, the idea that malware only arrives via shady third-party app stores is a dangerous misconception. A recent, sophisticated supply chain attack has surfaced, proving that even the devices rolling off the assembly line—or being updated via official channels—can harbor sinister secrets.
Security researchers have uncovered a new campaign involving a malware strain known as Keenadu. Unlike traditional malicious apps that users might accidentally install, Keenadu is embedded deep within the device supply chain. This breach of trust allows attackers to hijack Android devices before they even reach the end-user, turning legitimate hardware into a tool for cybercrime.
Analysis: How Keenadu Operates
This threat highlights a disturbing trend in mobile security: the exploitation of the supply chain. By compromising the manufacturing or firmware update process, attackers ensure their malicious code is pre-installed or silently injected onto devices.
The Technical Breakdown:
- Persistence is Key: Because Keenadu is integrated at the supply chain level, it often resides in the system partition or firmware. This makes it incredibly difficult for standard antivirus software to remove, as the malware reinstalls itself or simply cannot be deleted without root access or a complex flashing process.
- Payload Capabilities: Once active, Keenadu acts as a gateway for further malicious payloads. Its primary functions include:
- Browser Hijacking: The malware silently redirects user searches to attacker-controlled sites, generating revenue through SEO poisoning and fraudulent clicks.
- Ad Fraud: Keenadu simulates user interactions with advertisements, stealing revenue from legitimate ad networks. This happens silently in the background, draining battery life and using data without the user's knowledge.
- Remote Execution: Perhaps most alarming is the malware's ability to download and execute additional modules, giving attackers a backdoor to evolve the threat or spy on the victim.
Why It Matters: This attack vector undermines the fundamental trust users place in device manufacturers. When a phone comes out of the box compromised, the concept of "safe computing" is shattered. For businesses, this means that corporate-issued devices could be leaking data or participating in botnets from day one.
Mitigation Strategies
Defending against supply chain attacks requires a shift from simple endpoint protection to a holistic security posture. Here is how organizations can mitigate the risk:
- Rigorous Vendor Vetting: Businesses must demand transparency from hardware vendors regarding their software sourcing and build processes.
- Network Anomaly Detection: Since Keenadu engages in ad fraud and data exfiltration, it creates unique traffic patterns. Implementing deep packet inspection (DPI) can help identify devices communicating with known malicious command-and-control (C2) servers.
- Mobile Device Management (MDM): Strong MDM policies can restrict permissions and detect unauthorized system modifications, potentially flagging the presence of hidden malware.
- Regular Firmware Audits: Ensure that devices are running the latest, verified firmware versions to patch known supply chain vulnerabilities.
Security Arsenal Plug
At Security Arsenal, we understand that the threat landscape extends far beyond the network perimeter. Supply chain vulnerabilities like the Keenadu attack require a proactive and defense-in-depth approach to identify where your organization is exposed.
To combat these insidious threats, we recommend leveraging our expert Vulnerability Audits. Our team can rigorously assess your mobile infrastructure and software supply chain to identify weaknesses before they are exploited. Additionally, our comprehensive Managed Security services provide 24/7 monitoring and threat hunting, ensuring that anomalies like ad fraud traffic or unauthorized data exfiltration are detected and neutralized instantly.
Detection & Response
Sigma Rules
YAML
---
title: Potential Code Injection via Android Build Tools
id: 1b4e5d6a-7f8c-44a2-9b3c-1d2e3f4a5b6c
status: experimental
description: Detects suspicious child processes spawned by legitimate Android build tools (such as Gradle, Java, or ADB) which may indicate a supply chain compromise where an attacker injects malicious code into the build pipeline to embed malware like Keenadu.
references:
- Internal Research
author: Security Arsenal
date: 2026/04/06
tags:
- attack.supply_chain
- attack.persistence
- attack.t1195
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
- '\gradle.bat'
- '\adb.exe'
- '\mvn.cmd'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\bash.exe'
- '\wscript.exe'
- '\cscript.exe'
filter_legitimate:
# Filter out known legitimate build scripts or standard compiler outputs if necessary
CommandLine|contains:
- 'processResources'
- 'compileJava'
condition: selection_parent and selection_child and not filter_legitimate
falsepositives:
- Legitimate build scripts that trigger system shells for environment setup (rare)
level: high
---
title: Suspicious Modification of Android System Images
id: 2c5f6e7b-0g9d-55b3-0c4d-2e3f4a5b6c7d
status: experimental
description: Identifies modification or creation of Android system images (system.img, boot.img) or APK packages by scripting interpreters or unauthorized processes, a technique used in supply chain attacks to preload malware onto devices before distribution.
references:
- Internal Research
author: Security Arsenal
date: 2026/04/06
tags:
- attack.supply_chain
- attack.initial_access
- attack.t1195
logsource:
category: file_event
product: windows
detection:
selection_target:
TargetFilename|contains:
- '.img'
- '.apk'
- 'system.'
- 'boot.'
- 'vendor.'
- 'recovery.'
selection_process:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\python.exe'
- '\mshta.exe'
- '\wscript.exe'
filter_legit_updaters:
Image|contains:
- '\Android\'
- '\Android Studio\'
- '\Program Files\'
Image|endswith:
- '\java.exe'
- '\adb.exe'
condition: selection_target and selection_process and not filter_legit_updaters
falsepositives:
- Developers manually re-signing or compressing images using scripts
level: high
KQL — Microsoft Sentinel / Defender
KQL — Microsoft Sentinel / Defender
// Hunt for Android Supply Chain malware (e.g., Keenadu) by detecting outbound network connections
// originating from pre-installed system applications (/system/ partition) to suspicious external domains.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where OSPlatform == "Android"
| where ActionType == "ConnectionSuccess"
// Identify processes running from the system partition (typical of supply chain/pre-install malware)
| where InitiatingProcessFolderPath startswith "/system/" or InitiatingProcessFolderPath startswith "/system/app/"
// Exclude known safe traffic from System apps (Google Play Services, Updates, OEM Telemetry)
| where RemoteUrl !contains "google"
and RemoteUrl !contains "android"
and RemoteUrl !contains "gvt1"
and RemoteUrl !contains "gstatic"
and RemoteUrl !contains "1e100"
and RemoteUrl !contains "Qualcomm"
and RemoteUrl !contains "mediatek"
// Calculate URL entropy to identify random DGA (Domain Generation Algorithm) domains often used by C2
| extend UrlEntropy = entropy(tostring(RemoteUrl))
| where UrlEntropy > 3.5
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, RemoteUrl, RemoteIP, UrlEntropy
| summarize Count = count(), UniqueIPs = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, RemoteUrl
| order by Count desc
Velociraptor VQL
VQL — Velociraptor
name: Android.Hunt.Keenadu
description: |
Hunts for indicators of the Keenadu supply chain attack.
This artifact targets pre-installed malware in system partitions,
suspicious running processes masquerading as system services, and
network connections to potential C2 infrastructure.
sources:
- name: FileSystemHunt
description: |
-- Hunt for pre-installed APKs in system partitions (/system, /vendor, /product)
-- matching known Keenadu IOCs or suspicious obfuscated package names.
queries:
- |
SELECT
FullPath,
Size,
Mode.String AS Permissions,
Mtime
FROM glob(globs=[
"/system/priv-app/**/*.apk",
"/system/app/**/*.apk",
"/vendor/app/**/*.apk",
"/product/app/**/*.apk",
"/odm/app/**/*.apk"
])
WHERE
-- Look for specific Keenadu indicators or common supply chain masquerading
FullPath =~ "(?i)(keenadu|com.android.update|system.core.service)"
OR
-- Flag system APKs modified recently (unlikely in factory unless compromised)
Mtime > now() - 365 * 24 * 3600
OR
-- Flag suspiciously large system APKs often packing heavy payloads
Size > 10000000
- name: ProcessHunt
description: |
-- Hunt for running processes associated with Keenadu.
-- Focuses on processes spawned from system locations or using specific names.
queries:
- |
SELECT
Pid,
Ppid,
Username,
Cmdline,
Cwd,
Exe
FROM pslist()
WHERE
Cmdline =~ "(?i)(keenadu|com.android.update|system.core.service)"
OR
-- Detect processes running from system directories with suspicious names
Exe =~ "^/system/.*keenadu"
- name: NetworkHunt
description: |
-- Hunt for network connections indicative of Keenadu C2 beacons.
-- Looks for established connections on non-standard ports.
queries:
- |
SELECT
Family,
RemoteAddress,
RemotePort,
LocalAddress,
LocalPort,
State,
Pid
FROM netstat()
WHERE
State = "ESTABLISHED"
AND
-- Hunt for connections to high ports often used by C2 (excluding common HTTP/CDN)
RemotePort > 1024
AND RemotePort NOT IN (443, 80, 5228, 5223, 8443)
- name: DetailedFileStat
description: |
-- Perform detailed stat analysis on identified suspicious system APKs.
-- Verifies UID/GID to check if files belong to the system user (uid 0) or root.
queries:
- |
LET targets = SELECT FullPath
FROM glob(globs=["/system/**/*.apk", "/vendor/**/*.apk"])
WHERE FullPath =~ "(?i)(keenadu|com.android.update)"
SELECT
FullPath,
Size,
Mode.String AS Mode,
uid,
gid,
IsSymlink
FROM stat(filename=targets.FullPath)
Remediation Script
Bash / Shell
#!/bin/bash
# Title: Keenadu Supply Chain Audit Script
# Target: Android (Linux-based)
# Purpose: Verify patch status and hunt for Keenadu IOCs embedded in the supply chain
# Define known IOCs for the Keenadu threat
# Update package names and hashes based on latest intelligence reports
MALWARE_PKGS=("com.keenadu.service" "com.system.keenadu")
MALWARE_FILES=("libkeenadu.so" "KeenaduUpdate.apk")
MALWARE_PROCESS="keenadu"
echo "[*] Initiating Keenadu Supply Chain Threat Hunt..."
# 1. Verify Patch Status
# Check the Android security patch level to assess vulnerability surface
echo "[+] Checking Security Patch Level..."
PATCH_DATE=$(getprop ro.build.version.security_patch 2>/dev/null)
if [ -n "$PATCH_DATE" ]; then
echo " Current Patch: $PATCH_DATE"
# Compare against a baseline (e.g., devices older than 6 months are at higher risk)
# In a real scenario, compare against the date of the patch fixing the specific CVE used by Keenadu
BASELINE_DATE="2023-11-01"
if [[ "$PATCH_DATE" < "$BASELINE_DATE" ]]; then
echo " [!] WARNING: Device firmware is outdated. Vulnerable to supply chain exploits."
else
echo " [+] Patch level appears recent."
fi
else
echo " [!] Unable to determine patch level. Ensure this is running in an Android shell (ADB)."
fi
# 2. File System IOC Hunt
# Supply chain malware often resides in /system, /vendor, or /product partitions
echo "[*] Scanning system partitions for Keenadu artifacts..."
SYSTEM_PARTITIONS=("/system" "/vendor" "/product" "/system_ext")
for part in "${SYSTEM_PARTITIONS[@]}"; do
if [ -d "$part" ]; then
for file in "${MALWARE_FILES[@]}"; do
# Search ignoring case, suppress permission errors
ARTIFACT=$(find "$part" -iname "$file" 2>/dev/null)
if [ -n "$ARTIFACT" ]; then
echo " [!] CRITICAL FILE FOUND: $ARTIFACT"
fi
done
fi
done
# 3. Package/Registry Hunt
# Hunt for pre-installed malicious packages
echo "[*] Checking for malicious system packages..."
if command -v pm &> /dev/null; then
for pkg in "${MALWARE_PKGS[@]}"; do
if pm list packages | grep -qi "$pkg"; then
echo " [!] MALICIOUS PACKAGE DETECTED: $pkg"
# Attempt to retrieve the APK path for analysis
pm path "$pkg" 2>/dev/null
fi
done
# Heuristic check: Look for any package containing the threat name
SUSPICIOUS=$(pm list packages -f | grep -i "keenadu")
if [ -n "$SUSPICIOUS" ]; then
echo " [!] HEURISTIC DETECTION: Package matching 'keenadu' pattern found."
echo "$SUSPICIOUS"
fi
else
echo " [-] Package manager not found."
fi
# 4. Process Hunt
# Check if the malware is active in memory
echo "[*] Analyzing running processes..."
if command -v ps &> /dev/null; then
if ps -A | grep -v grep | grep -qi "$MALWARE_PROCESS"; then
echo " [!] ALERT: Keenadu process is currently active."
else
echo " [-] No suspicious processes detected."
fi
fi
# 5. Hardening/Remediation Summary
echo "[*] Hardening Status:"
echo " Supply chain attacks modify the firmware. Detection implies the OS image is untrusted."
echo " Recommendation: Wipe device and reflash with a clean OEM firmware image."
echo "[*] Scan complete."
Conclusion
The Keenadu supply chain attack serves as a stark reminder that security starts with the hardware itself. As cybercriminals continue to target the software supply chain, businesses can no longer afford to trust devices implicitly. By adopting advanced auditing and continuous monitoring, organizations can stay one step ahead of these hidden threats. Don't let your supply chain become your Achilles' heel.
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.