First Android Bootkit Virus Has Infected 350,000 Devices
Published on: 28th Jan 2014
By: Ian Mansfield
An anti virus company is warning about what it says could be one of the first mass distributed bootkit viruses seen on Android smartphones.
Russia based Doctor Web says that the Trojan resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit. This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the device's file system.
It's currently estimated that the virus has infected more than 350,000 mobile devices belonging to users in various countries. Although the bulk of the devices are in China, they have also been detected in Spain, Italy, Germany, Russia, Brazil, the USA and some Southeast Asian countries.
To spread the Trojan, which entered the Dr.Web virus database as Android.Oldboot.1.origin, attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialisation of OS components.
When the mobile phone is turned on, this script loads the code of the Trojan, which extracts the files and places them in /system/lib and /system/app, respectively.
Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and connects to a remote server to receive various commands, most notably, to download, install or remove certain applications.
Reflashing a device with modified firmware that contains the routines required for the Trojan's operation is the most likely way this threat is introduced.
This malware is particularly dangerous because even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infecting the system.