Security researchers from Doctor Web have discovered what they think is the first Android bootkit. The threat has already infected 350.000 devices around the world.
The Trojan, called Android.Oldboot.1.origin, uses some clever techniques to make sure it can not be easily removed. A component is installed in the system boot partition.
The file modifies the boot device by loading with a script components of Android.Oldboot. Once Android.Oldboot is installed on a device, the trojan connects to a remote server and waits for commands.
"When the mobile phone is turned on, this script loads its code Trojan Linux-library imei_chk (the application Dr.Web Anti-virus it detects it like Android.Oldboot.1), which extracts the libgooglekernel.so files (Android.Oldboot. 2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in the paths /system/lib and /system/app, respectively, the researchers report.
"So, part of it Trojan Android.Oldboot πραγματοποιεί εγκατάσταση σαν μια τυπική εφαρμογή, η οποία λειτουργεί σαν service συστήματος και χρησιμοποιεί το libgooglekernel.so library to connect to a remote server and receive various commands, mainly to download, install or remove certain applications. ”
The problem is that even if it is removed, when the device restarts, the Trojan follows the same procedure as it is in the protected memory area.
Experts believe that the malware is distributed with the help of some modified firmware. When the users root their smartphones and install this firmware, they don't actually know what's running on their device.
Most infections from this malicious software (92%) have been detected in China, which appears to be its main objective. However, infected devices have also been observed in Germany, The Spain, The Russia, The Italy, at USA, The Brazil and other countries from Southeast Asia.
The best way to protect it smartphone your advice is to avoid installing firmware from untrusted sources.