Two months ago, the first widespread version of an Android Bootkit malware was reported, called "Oldboot.A.”. This particular malware has infected over 500.000 Android smartphones over the last eight months, especially in China.
This malware for the Android platform is designed to infect phones again and again, even after thorough cleaning. It usually resides in the memory of infected devices, modifies the boot partition, and starts running malicious applications during the early boot phase of the system.
But a worrying new report on smart malware has been released by the Chinese security company.360 Mobile Security. ” Researchers have discovered a new variant of the oldboot family, which they named "Oldboot.B”And is designed exactly like its predecessor (version A), but the new variant seems to use concealment techniques that make it almost invisible.
Android Bootkit malware has the following features:
- It can install malicious apps silently on background.
- It can run malicious modules in system processes.
- It can avoid uninstalling.
- Oldboot.B can modify the browser home page.
- It has the ability to install or disable installed Mobile Antivirus software.
Once an Android device has been infected by that trojan, it will connect to the command and control center to receive the commands from the attacker, or the intruders.
After installation, the Trojan will install many other malicious android apps or games on the infected device, according to THN.
The Oldboot.B architecture has four key features, those that run automatically when booting the system, writing itself as a system service within the init.rc script:
1) boot_tst - uses a remote injection technique to pass a archive AA and a JAR file in the “system_server” process of the Android system, constantly monitoring the sockets, to execute the commands sent.
2) adb_server – replaces the Android system pm script with itself and will be used to prevent its uninstallation malicioussoftware.
3) meta_chk - updates the configuration file, downloads and installs Android Apps in the background. The configuration file is encrypted, which significantly increases the time required to parse it.
To avoid detection, attackers have set meta_chk to self-destruct from the file system, and only use it for the injection process. Android security features do not support memory scanning on the Android platform, so they can not find or delete the oldboot Trojan that is there.
4) agentsysline – is written in language C++ programming language, and runs as a daemon in the background to receive commands from the command and control server. This item can uninstall anti-virus software, delete specific files and enable or disable network connection etc.
