Android bootkit infects 350,000 devices
Posted on 28.01.2014
The first ever Android Trojan with bootkit capabilities has been discovered and analysed by Dr.Web researchers, who warn that the malware is already operating on some 350,000 mobile devices around the world.

The malware - dubbed Oldboot - resides in the memory of infected devices and launches itself early on in the OS loading stage, they say, and believe that the Trojan is being distributed via modified firmware.

To ensure persistence, the attackers have inserted one of the Trojan's components into the boot partition of the file system, and have altered the script that is tasked with initialising the OS components.

"When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk, which extracts the files and GoogleKernel.apk and places them in /system/lib and /system/app, respectively," the researchers explained.

"Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications."

Even if other elements of the Trojan are removed successfully, the modified script will restart the installation process by triggering the imei_chk each time the device is rebooted.

Currently most at risk from this malware are Chinese Android users (92 percent of all detected infections), but it has also spread to the EU (over 10,000 infected devices), Russia (over 2,000), the US (821), Brazil (482), and some other Asian countries (nearly 5,000).


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th