Android Devices Ship with Firmware-level Malware

    Friday, March 20, 2026 In: Threat Research Print

    Date: 03/20/2026

    Severity: High

    Summary

    In late February 2026, analysts detected malicious activity on Android devices linked to the Keenadu backdoor. Keenadu is a firmware-level infection embedded in libandroid_runtime.so, injecting itself into the Zygote process. Since Zygote spawns all apps, this gives attackers near-total control over infected devices. The malware acts as a downloader for additional modules that target apps like Shein, Temu, Amazon, YouTube, and Facebook. Some modules perform ad fraud by silently generating clicks, including one hidden in the system launcher to monetize installs.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    playstations.click

    uscelluliar.com

    gstatic2.com

    glogstatic.com

    ytimg2.com

    gmsstatic.com

    gsonx.com

    keepgo123.com

    sliidee.com

    newsroomlabss.com

    fbgraph.com

    dllpgd.click

    gvvt1.com

    proczone.com

    goaimb.com

    aifacecloud.com

    gbugreport.com

    tmgstatic.com

    fbsimg.com

    launcher.szprize.cn

    iboot.site

    IP Address : 

    67.198.232.187

    67.198.232.4

    110.34.191.82

    110.34.191.81

    IP Address : 

    11eaf02f41b9c93e9b3189aa39059419

    7db58b72a3493a86e847c3685eca74c690d50b55

    52db1f284a0dccbb750314cf765131a17a8284a2aeea04701a2b71f35fb9d9ee

    3c03168c98ad6111c3aa0a960f8b7eea

    dcf2b51bfc43494bb27f5da26f3f706ca878d17e

    cdf1d41d732ba882184060933bec2c1f4b8eefc081c06471132a690f2205da31

    cb0d514d86ddfaf4345d25cef064863b

    b73c94e56932f607108ec1efb74004c763a9e42b

    ab6d744dccf4c6266474df4b8aa3be6ae5663dbee39c579a552a4cfa1c1d12fd

    cd619b4e1e793f96eca877616a741bc1

    c33b025bac789d3742278f784377fc36f83fd1ff

    da1c7f53add0abaa8a49b773e5cea9c9171799f644ec24e366aaf7ce29962a11

    b80b39ed95d54c8c1bf12e35f92e23cc

    7eb32a90d556bb9954707014843a67f7039ea7f1

    34a0236b5c7b47577be4501e2c18908916ef9ec22032a6ea41b0ecceaf4e8d8a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "gvvt1.com" or url like "gvvt1.com" or siteurl like "gvvt1.com" or domainname like "uscelluliar.com" or url like "uscelluliar.com" or siteurl like "uscelluliar.com" or domainname like "gstatic2.com" or url like "gstatic2.com" or siteurl like "gstatic2.com" or domainname like "gsonx.com" or url like "gsonx.com" or siteurl like "gsonx.com" or domainname like "dllpgd.click" or url like "dllpgd.click" or siteurl like "dllpgd.click" or domainname like "sliidee.com" or url like "sliidee.com" or siteurl like "sliidee.com" or domainname like "glogstatic.com" or url like "glogstatic.com" or siteurl like "glogstatic.com" or domainname like "fbgraph.com" or url like "fbgraph.com" or siteurl like "fbgraph.com" or domainname like "playstations.click" or url like "playstations.click" or siteurl like "playstations.click" or domainname like "ytimg2.com" or url like "ytimg2.com" or siteurl like "ytimg2.com" or domainname like "goaimb.com" or url like "goaimb.com" or siteurl like "goaimb.com" or domainname like "proczone.com" or url like "proczone.com" or siteurl like "proczone.com" or domainname like "gmsstatic.com" or url like "gmsstatic.com" or siteurl like "gmsstatic.com" or domainname like "iboot.site" or url like "iboot.site" or siteurl like "iboot.site" or domainname like "fbsimg.com" or url like "fbsimg.com" or siteurl like "fbsimg.com" or domainname like "launcher.szprize.cn" or url like "launcher.szprize.cn" or siteurl like "launcher.szprize.cn" or domainname like "newsroomlabss.com" or url like "newsroomlabss.com" or siteurl like "newsroomlabss.com" or domainname like "keepgo123.com" or url like "keepgo123.com" or siteurl like "keepgo123.com" or domainname like "gbugreport.com" or url like "gbugreport.com" or siteurl like "gbugreport.com" or domainname like "aifacecloud.com" or url like "aifacecloud.com" or siteurl like "aifacecloud.com" or domainname like "tmgstatic.com" or url like "tmgstatic.com" or siteurl like "tmgstatic.com"

    Detection Query 2 :

    dstipaddress IN ("110.34.191.81","67.198.232.187","110.34.191.82","67.198.232.4") or srcipaddress IN ("110.34.191.81","67.198.232.187","110.34.191.82","67.198.232.4")

    Detection Query 3 :

    md5hash IN ("11eaf02f41b9c93e9b3189aa39059419","cb0d514d86ddfaf4345d25cef064863b","3c03168c98ad6111c3aa0a960f8b7eea","b80b39ed95d54c8c1bf12e35f92e23cc","cd619b4e1e793f96eca877616a741bc1")

    Detection Query 4 :

    sha1hash IN ("7eb32a90d556bb9954707014843a67f7039ea7f1","7db58b72a3493a86e847c3685eca74c690d50b55","c33b025bac789d3742278f784377fc36f83fd1ff","dcf2b51bfc43494bb27f5da26f3f706ca878d17e","b73c94e56932f607108ec1efb74004c763a9e42b")

    Detection Query 5 :

    sha256hash IN ("52db1f284a0dccbb750314cf765131a17a8284a2aeea04701a2b71f35fb9d9ee","ab6d744dccf4c6266474df4b8aa3be6ae5663dbee39c579a552a4cfa1c1d12fd","34a0236b5c7b47577be4501e2c18908916ef9ec22032a6ea41b0ecceaf4e8d8a","da1c7f53add0abaa8a49b773e5cea9c9171799f644ec24e366aaf7ce29962a11","cdf1d41d732ba882184060933bec2c1f4b8eefc081c06471132a690f2205da31")

    Reference:     

    https://www.sophos.com/en-us/blog/android-devices-ship-with-firmware-level-malware      


    Tags

    MalwareBackdoorAmazonFacebookAndroid Malware

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.