Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets

Date: 02/19/2026

Severity: Medium

Summary

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets outlines the discovery of Keenadu, a firmware-level Android backdoor embedded during the build process via a malicious library linked to libandroid_runtime.so. Once deployed-sometimes through OTA updates-the malware injects into the Zygote process, loading into every app at launch and enabling full remote control through a multi-stage loader architecture. Its payloads support ad fraud, browser hijacking, and app monetization abuse, with components also found in apps distributed through third-party stores and official marketplaces. The investigation further revealed operational ties between Keenadu, Triada, BADBOX, and Vo1d, exposing a broader ecosystem of interconnected Android botnets operating at the firmware level.

Indicators of Compromise (IOC) List

URLs/Domains

fbsimg.com

tmgstatic.com

gbugreport.com

aifacecloud.com

goaimb.com

proczone.com

gvvt1.com

dllpgd.click

fbgraph.com

newsroomlabss.com

sliidee.com

keepgo123.com

gsonx.com

gmsstatic.com

ytimg2.com

glogstatic.com

gstatic2.com

uscelluliar.com

playstations.click

ubkt1x.oss-us-west-1.aliyuncs.com

m-file-us.oss-us-west-1.aliyuncs.com

pkg-czu.istaticfiles.com

pkgu.istaticfiles.com

app-download.cn-wlcb.ufileos.com

IP Address

110.34.191.81

110.34.191.82

67.198.232.4

67.198.232.187

Hash

bccd56a6b6c9496ff1acd40628edd25e

c4c0e65a5c56038034555ec4a09d3a37

cb9f86c02f756fb9afdb2fe1ad0184ee

f59ad0c8e47228b603efc0ff790d4a0c

f9b740dd08df6c66009b27c618f1e086

02c4c7209b82bbed19b962fb61ad2de3

185220652fbbc266d4fdf3e668c26e59

36db58957342024f9bc1cdecf2f163d6

4964743c742bb899527017b8d06d4eaa

58f282540ab1bd5ccfb632ef0d273654

59aee75ece46962c4eb09de78edaa3fa

8d493346cb84fbbfdb5187ae046ab8d3

9d16a10031cddd222d26fcb5aa88a009

a191b683a9307276f0fc68a2a9253da1

65f290dd99f9113592fba90ea10cb9b3

68990fbc668b3d2cfbefed874bb24711

6d93fb8897bf94b62a56aca31961756a

2922df6713f865c9cba3de1fe56849d7

3dae1f297098fa9d9d4ee0335f0aeed3

462a23bc22d06e5662d379b9011d89ff

4c4ca7a2a25dbe15a4a39c11cfef2fb2

5048406d8d0affa80c18f8b1d6d76e21

529632abf8246dfe555153de6ae2a9df

7ceccea499cfd3f9f9981104fc05bcbd

912bc4f756f18049b241934f62bfb06c

98ff5a3b5f2cdf2e8f58f96d70db2875

aa5bf06f0cc5a8a3400e90570fb081b0

ad60f46e724d88af6bcacb8c269ac3c1

dc3d454a7edb683bec75a6a1e28a4877

f0184f6955479d631ea4b1ea0f38a35d

07546413bdcb0e28eadead4e2b0db59d

0c1f61eeebc4176d533b4fc0a36b9d61

10d8e8765adb1cbe485cb7d7f4df21e4

11eaf02f41b9c93e9b3189aa39059419

19df24591b3d76ad3d0a6f548e608a43

1bfb3edb394d7c018e06ed31c7eea937

1c52e14095f23132719145cf24a2f9dc

21846f602bcabccb00de35d994f153c9

2419583128d7c75e9f0627614c2aa73f

28e6936302f2d290c2fec63ca647f8a6

382764921919868d810a5cf0391ea193

45bf58973111e00e378ee9b7b43b7d2d

56036c2490e63a3e55df4558f7ecf893

64947d3a929e1bb860bf748a15dba57c

69225f41dcae6ddb78a6aa6a3caa82e1

6df8284a4acee337078a6a62a8b65210

6f6e14b4449c0518258beb5a40ad7203

7882796fdae0043153aa75576e5d0b35

7c3e70937da7721dd1243638b467cff1

9ddd621daab4c4bc811b7c1990d7e9ea

a0f775dd99108cb3b76953e25f5cdae4

b841debc5307afc8a4592ea60d64de14

c57de69b401eb58c0aad786531c02c28

ca59e49878bcf2c72b99d15c98323bcd

d07eb2db2621c425bda0f046b736e372

d4be9b2b73e565b1181118cb7f44a102

d9aecc9d4bf1d4b39aa551f3a1bcc6b7

e9bed47953986f90e814ed5ed25b010c

0bc94bc4bc4d69705e4f08aaf0e976b3

1276480838340dcbc699d1f32f30a5e9

15fb99660dbd52d66f074eaa4cf1366d

2dca15e9e83bca37817f46b24b00d197

350313656502388947c7cbcd08dc5a95

3e36ffda0a946009cb9059b69c6a6f0d

5b0726d66422f76d8ba4fbb9765c68f6

68b64bf1dea3eb314ce273923b8df510

9195454da9e2cb22a3d58dbbf7982be8

a4a6ff86413b3b2a893627c4cff34399

b163fa76bde53cd80d727d88b7b1d94f

ba0a349f177ffb3e398f8c780d911580

bba23f4b66a0e07f837f2832a8cd3bd4

d6ebc5526e957866c02c938fc01349ee

ec7ab99beb846eec4ecee232ac0b3246

ef119626a3b07f46386e65de312cf151

fcaeadbee39fddc907a3ae0315d86178

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "fbgraph.com" or siteurl like "fbgraph.com" or url like "fbgraph.com" or domainname like "app-download.cn-wlcb.ufileos.com" or siteurl like "app-download.cn-wlcb.ufileos.com" or url like "app-download.cn-wlcb.ufileos.com" or domainname like "gvvt1.com" or siteurl like "gvvt1.com" or url like "gvvt1.com" or domainname like "aifacecloud.com" or siteurl like "aifacecloud.com" or url like "aifacecloud.com" or domainname like "gstatic2.com" or siteurl like "gstatic2.com" or url like "gstatic2.com" or domainname like "uscelluliar.com" or siteurl like "uscelluliar.com" or url like "uscelluliar.com" or domainname like "fbsimg.com" or siteurl like "fbsimg.com" or url like "fbsimg.com" or domainname like "tmgstatic.com" or siteurl like "tmgstatic.com" or url like "tmgstatic.com" or domainname like "ubkt1x.oss-us-west-1.aliyuncs.com" or siteurl like "ubkt1x.oss-us-west-1.aliyuncs.com" or url like "ubkt1x.oss-us-west-1.aliyuncs.com" or domainname like "playstations.click" or siteurl like "playstations.click" or url like "playstations.click" or domainname like "gbugreport.com" or siteurl like "gbugreport.com" or url like "gbugreport.com" or domainname like "goaimb.com" or siteurl like "goaimb.com" or url like "goaimb.com" or domainname like "proczone.com" or siteurl like "proczone.com" or url like "proczone.com" or domainname like "pkgu.istaticfiles.com" or siteurl like "pkgu.istaticfiles.com" or url like "pkgu.istaticfiles.com" or domainname like "gmsstatic.com" or siteurl like "gmsstatic.com" or url like "gmsstatic.com" or domainname like "newsroomlabss.com" or siteurl like "newsroomlabss.com" or url like "newsroomlabss.com" or domainname like "pkg-czu.istaticfiles.com" or siteurl like "pkg-czu.istaticfiles.com" or url like "pkg-czu.istaticfiles.com" or domainname like "gsonx.com" or siteurl like "gsonx.com" or url like "gsonx.com" or domainname like "glogstatic.com" or siteurl like "glogstatic.com" or url like "glogstatic.com" or domainname like "ytimg2.com" or siteurl like "ytimg2.com" or url like "ytimg2.com" or domainname like "dllpgd.click" or siteurl like "dllpgd.click" or url like "dllpgd.click" or domainname like "m-file-us.oss-us-west-1.aliyuncs.com" or siteurl like "m-file-us.oss-us-west-1.aliyuncs.com" or url like "m-file-us.oss-us-west-1.aliyuncs.com" or domainname like "keepgo123.com" or siteurl like "keepgo123.com" or url like "keepgo123.com" or domainname like "sliidee.com" or siteurl like "sliidee.com" or url like "sliidee.com"
Detection Query 2 :	dstipaddress IN ("67.198.232.187","110.34.191.82","110.34.191.81","67.198.232.4") or srcipaddress IN ("67.198.232.187","110.34.191.82","110.34.191.81","67.198.232.4")
Detection Query 3 :	md5hash IN ("5b0726d66422f76d8ba4fbb9765c68f6","1c52e14095f23132719145cf24a2f9dc","1276480838340dcbc699d1f32f30a5e9","10d8e8765adb1cbe485cb7d7f4df21e4","19df24591b3d76ad3d0a6f548e608a43","2419583128d7c75e9f0627614c2aa73f","68990fbc668b3d2cfbefed874bb24711","65f290dd99f9113592fba90ea10cb9b3","ba0a349f177ffb3e398f8c780d911580","28e6936302f2d290c2fec63ca647f8a6","a0f775dd99108cb3b76953e25f5cdae4","21846f602bcabccb00de35d994f153c9","9195454da9e2cb22a3d58dbbf7982be8","b163fa76bde53cd80d727d88b7b1d94f","bccd56a6b6c9496ff1acd40628edd25e","a191b683a9307276f0fc68a2a9253da1","36db58957342024f9bc1cdecf2f163d6","6d93fb8897bf94b62a56aca31961756a","11eaf02f41b9c93e9b3189aa39059419","4964743c742bb899527017b8d06d4eaa","d6ebc5526e957866c02c938fc01349ee","ef119626a3b07f46386e65de312cf151","0c1f61eeebc4176d533b4fc0a36b9d61","45bf58973111e00e378ee9b7b43b7d2d","fcaeadbee39fddc907a3ae0315d86178","a4a6ff86413b3b2a893627c4cff34399","350313656502388947c7cbcd08dc5a95","c4c0e65a5c56038034555ec4a09d3a37","07546413bdcb0e28eadead4e2b0db59d","382764921919868d810a5cf0391ea193","2dca15e9e83bca37817f46b24b00d197","64947d3a929e1bb860bf748a15dba57c","3e36ffda0a946009cb9059b69c6a6f0d","59aee75ece46962c4eb09de78edaa3fa","cb9f86c02f756fb9afdb2fe1ad0184ee","f59ad0c8e47228b603efc0ff790d4a0c","8d493346cb84fbbfdb5187ae046ab8d3","58f282540ab1bd5ccfb632ef0d273654","ec7ab99beb846eec4ecee232ac0b3246","185220652fbbc266d4fdf3e668c26e59","56036c2490e63a3e55df4558f7ecf893","d07eb2db2621c425bda0f046b736e372","68b64bf1dea3eb314ce273923b8df510","15fb99660dbd52d66f074eaa4cf1366d","0bc94bc4bc4d69705e4f08aaf0e976b3","bba23f4b66a0e07f837f2832a8cd3bd4","1bfb3edb394d7c018e06ed31c7eea937","9d16a10031cddd222d26fcb5aa88a009","f9b740dd08df6c66009b27c618f1e086","02c4c7209b82bbed19b962fb61ad2de3","2922df6713f865c9cba3de1fe56849d7","3dae1f297098fa9d9d4ee0335f0aeed3","462a23bc22d06e5662d379b9011d89ff","4c4ca7a2a25dbe15a4a39c11cfef2fb2","5048406d8d0affa80c18f8b1d6d76e21","529632abf8246dfe555153de6ae2a9df","7ceccea499cfd3f9f9981104fc05bcbd","912bc4f756f18049b241934f62bfb06c","98ff5a3b5f2cdf2e8f58f96d70db2875","aa5bf06f0cc5a8a3400e90570fb081b0","ad60f46e724d88af6bcacb8c269ac3c1","dc3d454a7edb683bec75a6a1e28a4877","f0184f6955479d631ea4b1ea0f38a35d","69225f41dcae6ddb78a6aa6a3caa82e1","6df8284a4acee337078a6a62a8b65210","6f6e14b4449c0518258beb5a40ad7203","7882796fdae0043153aa75576e5d0b35","7c3e70937da7721dd1243638b467cff1","9ddd621daab4c4bc811b7c1990d7e9ea","b841debc5307afc8a4592ea60d64de14","c57de69b401eb58c0aad786531c02c28","ca59e49878bcf2c72b99d15c98323bcd","d4be9b2b73e565b1181118cb7f44a102","d9aecc9d4bf1d4b39aa551f3a1bcc6b7","e9bed47953986f90e814ed5ed25b010c")

Reference:

https://securelist.com/keenadu-android-backdoor/118913/

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Divide and Conquer: How the New Keenadu Backdoor Exposed Links Between Major Android Botnets

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments