Modded firmware may harbour world’s first Android bootkit

Modded firmware may harbour world’s first Android bootkit

Summary: Or is it just a variant of the older but just as sneaky SMS-fraud malware known as Mouabad?


Security researchers at a Russian antivirus vendor claim to have found the world's first Android bootkit, a piece of malware that's designed to re-infect devices even after a thorough cleanup.

Russian AV vendor Dr Web has warned users to beware certain modified Android firmware. The company says the firmware is the most likely source of infections by what's thought to be the world's first Android bootkit — malware that, once installed, lurks deep inside the OS and remains difficult to detect and fully remove.

The malware, identified as Android.Oldboot, offers the attacker common attack features, such as a connection between the device and their own remote server to download, install, or remove some applications, according to Dr Web.

Less common is the discovery that one of its components resides in the protected memory area of an infected device, making it a challenge to totally remove.

"Even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infect the system," the company said.

Due to the "unusual" technique the attackers have used to infect over 350,000 Android devices, mostly in China, Dr Web believes the most likely method of infection occurs when flashing a device with modified Android firmware.

It says: "To spread the Trojan (Android.Oldboot.1.origin) attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialisation of OS components.

"When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Android.Oldboot.1), which extracts the files (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively.

"Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications."

Dr Web wasn't actually the first to spot the bootkit: it was initially reported by researchers in China, who posted details of the malware on 17 January and claim to have seen 500,000 Oldboot infections.

"We found an Android trojan in the boot partition of an infected Android device. Since the boot partition will be loaded as a read-only RAM disk during Android's running, all existing antivirus solutions can't effectively clean it," Claud Xiao, one of the researchers, wrote on Google+. The malware installs adware among other things.

A full write-up is available here.

However, as noted on Reddit, Tim Strazzere, a security engineer with mobile security vendor Lookout, claims Oldboot is really just a variant on an older threat known as MouBad.P, which was also difficult to detect and remove.

"MouaBad.p is specifically engineered to evade detection and deletion, concealing its background activities from users wherever possible and attempting to get privileged device access to make itself more difficult to remove," Lookout said in December. 

The company's advice to avoid infection was to only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; and install a mobile security app.

More on Android security

Topics: Security, Android, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Android HAS ARRIVED!

    What was it that fanboys said about IOS?
  • Infections Mostly In China

    Did you read the last para.?
    The majority of Android devices in the wild don't get infected. Everytime I read otherwise, they standardly have an AV to sell. There are excellent AVs available even at the free level. The rest is following safe practices. Plenty of Guides and Info available Online for those who care to know.
    iPhones? Turns out NSA has had full access to Apple Phones for years. Uggh!
    Since they can access completely, what else has been or will be going on with iPhones?
    • PreachJohn Did Above Post

      'anonymous' seems to be the reigning moniker lately. Glitch somewhere. Still don't know if it's ZDNet or my 'puter.