Security researchers from Doctor Web discovered what they believe is the first Android bootkit. The threat has already infected 350.000 devices worldwide.
Το Trojan, που ονομάστηκε Android.Oldboot.1.origin, χρησιμοποιεί κάποιες έξυπνες τεχνικές για να διασφαλίσει ότι δεν μπορεί να αφαιρεθεί εύκολα. Ένα συστατικό του είναι εγκατεστημένο στο apartment system startup.
The file modifies the boot of the device, loading with a scriptthe Android components.Oldboot. Once Android.Oldboot is installed on a device, the trojan connects to a remote server and waits for commands.
"Όταν το κινητό τηλέφωνο είναι ενεργοποιημένο, αυτό το script φορτώνει τον κώδικα του Trojan Linux library imei_chk (the application Dr.Web Anti-virus it detects it like Android.Oldboot.1), which extracts the libgooglekernel.so files (Android.Oldboot. 2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in the /system/lib and /system/app paths, respectively, the researchers.
"So, part of it Trojan Android.Oldboot installs as a standard application that acts as a system service and uses it libgooglekernel.so library to connect to a remote server and receive various commands, mainly to download, install or remove certain applications."
The problem is that even if it is removed, when the device restarts, the Trojan follows the same procedure as it is in the protected memory area.
Experts believe that malware is being distributed with the help of a modified firmware. When users root on their smartphones and install this firmware, they do not really know what's running on their device.
Most infections from this malicious software (92%) have been detected in China, which appears to be its main objective. However, infected devices have also been observed in Germany, The Spain, The Russia, The Italy, at USA, The Brazil and other countries from Southeast Asia.
The best way to protect your smartphone is to avoid installing firmware from unreliable sources.