Android Bootkit Going Global

Wednesday, January 29, 2014 @ 02:01 PM gHale

An Android bootkit has already hit 350,000 devices from across the globe, researchers said.

In addition to being a new threat, the Trojan, called Android.Oldboot.1.origin, is not easy to remove for a system, said researchers from Doctor Web. One component installs right on to the boot partition of the file system.

RELATED STORIES
Trojan Pushes Malware onto Androids
Mac Trojan Updated and Active
Trojan Slowed, but not Gone
Trojan Remains a Danger After Deleted

The unit file ends up modified so when the device starts, a script loads and Android.Oldboot components install as a typical application. Once installed on a device, the threat connects to a remote server and waits for commands.

“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Doctor Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively,” Doctor Web researchers said.

“Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the libgooglekernel.so library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications,” the researchers said.

The problem is even if it’s removed, once the device reboots, the Trojan ends up reinstalled due to the component that resides in the protected memory area.

Experts believe the malware is undergoing distribution via a modified firmware. When users reflash their smartphones and install this firmware, they’re actually infecting them with the Trojan.

Most infections (92 percent) are in China, which appears to be the main target. However, infected devices are also in Germany, Spain, Russia, Italy, the U.S., Brazil and other countries from Southeast Asia.

The best way to protect your smartphone against this piece of malware is pretty basic, but needs saying: Avoid installing firmware downloaded from untrusted sources.



Leave a Reply

You must be logged in to post a comment.