First Android Bootkit Discovered in the Wild

This week, security researchers at a Russian antivirus company claim they have discovered the world’s first Android bootkit, which has the potential to enable hackers to stay on someone’s phone even after the drives have been wiped and the system has been re-flashed in a professional setting.

According to a paper published by the AV outfit Dr Web, over 350,000 Android devices are currently infected with the malware, with the primary bulk of those numbers being made up by users residing in China and various other countries in Southeast Asia.

 “Even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infect the system.”

The malware sets up camp in an unusual location, which is what makes this find so significant in comparison to the thousands of other threats detected for Android each year. Instead of taking the traditional route to someone’s personal info, Android.Oldboot decides to do things a bit differently, opting to reside in the flash memory of any given device, rather than the main storage space represented by the internal SD card.

This means that whenever the device is turned on, a script automatically loads the code from the Trojan directly into the Linux-library imei_chk, and then extracts the files GoogleKernel.apk and  libgooglekernel.so into the system/lib and system/app folders. This tricks the phone into thinking the Trojan is a standard application, bypassing normal security functions and enabling it to run a secret bootkit that can remain nigh undetectable for months on end.

oldboot_en_01-1024x912

Of course, none of this is possible unless the user explicitly decides to install custom firmware on their device in the first place, which is widely known as uncharted territory when it comes to what is and isn’t safe to use while the devs at Google have their backs turned. The crack works by installing a Trojan component onto the boot partition of the file system, while it modifies the init script that is the first line of defense while initializing components of the base OS.

In a thread posted to the social aggregation website Reddit, a security engineer named Tim Strazzere pointed out that this variation of Oldboot is in fact just a modified version of a much older threat, known as MouBad.P.

“MouaBad.p is specifically engineered to evade detection and deletion, concealing its background activities from users wherever possible and attempting to get privileged device access to make itself more difficult to remove.”

Dr Web advises users to always be 100% certain that the source of the firmware they choose to install on their phones and tablets is pre-approved by the community, and carries a reliable rating from more than several hundred users before making any moves that could be harmful to the OS and its components.