Modded firmware may harbour world’s first Android bootkit

Or is it just a variant of the older but just as sneaky SMS-fraud malware known as Mouabad?

Security researchers at a Russian antivirus vendor claim to have found the world's first Android bootkit, a piece of malware that's designed to re-infect devices even after a thorough cleanup.

Russian AV vendor Dr Web has warned users to beware certain modified Android firmware. The company says the firmware is the most likely source of infections by what's thought to be the world's first Android bootkit — malware that, once installed, lurks deep inside the OS and remains difficult to detect and fully remove.

The malware, identified as Android.Oldboot, offers the attacker common attack features, such as a connection between the device and their own remote server to download, install, or remove some applications, according to Dr Web.

Less common is the discovery that one of its components resides in the protected memory area of an infected device, making it a challenge to totally remove.

"Even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infect the system," the company said.

Due to the "unusual" technique the attackers have used to infect over 350,000 Android devices, mostly in China, Dr Web believes the most likely method of infection occurs when flashing a device with modified Android firmware.

It says: "To spread the Trojan (Android.Oldboot.1.origin) attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialisation of OS components.

"When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Android.Oldboot.1), which extracts the files (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively.

"Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications."

Dr Web wasn't actually the first to spot the bootkit: it was initially reported by researchers in China, who posted details of the malware on 17 January and claim to have seen 500,000 Oldboot infections.

"We found an Android trojan in the boot partition of an infected Android device. Since the boot partition will be loaded as a read-only RAM disk during Android's running, all existing antivirus solutions can't effectively clean it," Claud Xiao, one of the researchers, wrote on Google+. The malware installs adware among other things.

A full write-up is available here.

However, as noted on Reddit, Tim Strazzere, a security engineer with mobile security vendor Lookout, claims Oldboot is really just a variant on an older threat known as MouBad.P, which was also difficult to detect and remove.

"MouaBad.p is specifically engineered to evade detection and deletion, concealing its background activities from users wherever possible and attempting to get privileged device access to make itself more difficult to remove," Lookout said in December. 

The company's advice to avoid infection was to only install apps from trusted stores; make sure the Android system setting 'Unknown sources' is unchecked to prevent dropped or drive-by-download app installs; and install a mobile security app.

More on Android security