Skip to content ↓ | Skip to navigation ↓

Researchers have identified the first known Android bootkit in the wild, which ” resides in the memory of infected devices and launches itself early on in the OS loading stage,” making detection and elimination difficult as it would require changes to the device’s file system.

The malware, dubbed Android.Oldboot.1.origin, is thought have already infected more than 350,000 mobile devices around the world, including Spain, Italy, Germany, Russia, Brazil, the USA and some Southeast Asian countries, though more than 90% of the infections are located in China.

“To spread the Trojan… attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialisation of OS components.” the researchers reported.

“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Dr.Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively. Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the libgooglekernel.so library to connect to a remote server and receive various commands,” they explained.

The researchers note that the malware is not being spread by malicious webpages, applications, or from opening tainted attachments. Instead, they believe devices somehow had the malware pre-loaded at the time of shipping from the manufacturer, or was likely manually installed by actors with physical access to the devices.

“Reflashing a device with modified firmware that contains the routines required for the Trojan’s operation is the most likely way this threat is introduced,” the researchers said.

“This malware is particularly dangerous because even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infect the system.”

Read more Here…