Security researchers from Doctor Web have discovered what they believe to be the first Android bootkit. The threat has already infected 350,000 devices from all over the world.
The Trojan, dubbed Android.Oldboot.1.origin, uses some clever techniques to ensure that it cannot be removed easily. One component is installed onto the boot partition of the file system.
The unit file is modified so that when the device is started, a script is loaded and the Android.Oldboot components are installed as a typical application. Once it’s installed on a device, the threat connects to a remote server and waits for commands.
“When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Dr.Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in /system/lib and /system/app, respectively,” Dr. Web experts explained.
“Thus, part of the Trojan Android.Oldboot is installed as a typical application which further functions as a system service and uses the libgooglekernel.so library to connect to a remote server and receive various commands, most notably, to download, install or remove certain applications.”
The problem is that even if it’s removed, once the device is rebooted, the Trojan is reinstalled due to the component that resides in the protected memory area.
Experts believe that the malware is being distributed with the aid of modified firmware. When users reflash their smartphones and install this firmware, they’re actually infecting them with the Trojan.
Most infections (92%) have been spotted in China, which appears to be the main target. However, infected devices have also been seen in Germany, Spain, Russia, Italy, the US, Brazil and other countries from Southeast Asia.
The best way to protect your smartphone against this piece of malware is to avoid installing firmware downloaded from untrusted sources. Experts also recommend against buying devices of unknown origin.