Oldboot for Android: 350K+ Devices Infected, and It's Sticking Around

A dangerous Android trojan has infected 350,000+ mobile devices
A dangerous Android trojan has infected 350,000+ mobile devices

According to Russian anti-virus purveyor Doctor Web, the malignant program is making the rounds in the US, Spain, Italy, Germany, Russia, Brazil and some Southeast Asian countries. However, most of the compromised devices (92%) are located in China.

Trojan Android.Oldboot is a hard guest to get rid of, because it gets down into the very kernel of the Android OS. Dr. Web researchers said that it resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit.

“This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the device's file system,” the company explained in an analysis. It added, “Reflashing a device with modified firmware that contains the routines required for the Trojan’s operation is the most likely way this threat is introduced.”

And, “To spread the Trojan…attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialization of OS components.”

In other words, it worms its way into the central beating heart of the operating system. Then, when the mobile phone is turned on, the script is activated and the code it loaded from kernel files so it can do its job, which is to download, install or remove certain applications. Because it achieves persistence, it acts as a backdoor for criminals to get into the device.

Part of Oldboot behaves like a typical malicious application, Dr. Web noted, connecting to a remote server and receiving various commands. But if this is removed (and users will think that it is), it will simply reinstall itself from the OS kernel again upon restart.

“This malware is particularly dangerous because even if some elements of Android.Oldboot that were installed onto the mobile device after it was turned on are removed successfully, the component imei_chk will still reside in the protected memory area and will re-install the malware after a reboot and, thus, re-infect the system,” Dr. Web more specifically explained.

To prevent infection by this malware or other similar trojans, Doctor Web suggested that users not purchase devices of unknown origin that could already have the trojan loaded (aftermarket devices are commonly for sale in China), and warned users against using OS images from unreliable sources.

What’s hot on Infosecurity Magazine?