Security researchers from Doctor Web have discovered what they think is the first Android bootkit. The threat has already infected 350.000 devices around the world.
The Trojan, named Android.Oldboot.1.origin, uses some smart techniques to ensure that it cannot be easily removed. A component of it is installed on the system boot partition.
The file modifies the boot of the device by loading with a script components of Android.Oldboot. Once Android.Oldboot is installed on a device, the trojan connects to a remote server and waits for commands.
"When the mobile τηλέφωνο είναι ενεργοποιημένο, αυτό το script φορτώνει τον κώδικα του Trojan Linux library imei_chk (the application Dr.Web Anti-virus it detects it like Android.Oldboot.1), which extracts the libgooglekernel.so files (Android.Oldboot. 2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them on the / system / lib and / system / app paths, respectively, respectively.
"So, part of it Trojan Android.Oldboot installs as a standard application that acts as a system service and uses it libgooglekernel.so library to connect to a remote server and receive various commands, mainly to download, install or remove certain applications. ”
The problem is that even if it is removed, when the device restarts, the Trojan follows the same procedure as it is in the protected memory area.
Experts believe that the malicious software distributed with the help of some modified firmware. When users root their smartphones and install this firmware, they don't actually know what's running on their device.
Most infections from this malicious software (92%) have been detected in China, which appears to be its main objective. However, infected devices have also been observed in Germany, The Spain, The Russia, The Italy, at USA, The Brazil and others countries from Southeast Asia.
The best way to protect your smartphone is to avoid installing firmware from unreliable sources.