Two months ago, the first widespread version of an Android Bootkit malware was reported, called "Oldboot.A.”. This particular malware has infected over 500.000 Android smartphones over the last eight months, especially in China.
This malware for the Android platform is designed to infect phones again and again, even after thorough cleaning. It usually resides in the memory of the infected devices, modifies the cm partitionmovementand start running malicious applications during the early phase of system boot.
But a worrying new report on smart malware has been released by the Chinese security company.360 Mobile Security. ” Researchers have discovered a new variant of the oldboot family, which they named "Oldboot.B”And is designed exactly like its predecessor (version A), but the new variant seems to use concealment techniques that make it almost invisible.
Android Bootkit malware has the following features:
- It can install malicious applications silently in the background.
- It can run malicious modules in system processes.
- It can avoid uninstalling.
- Oldboot.B can modify the browser home page.
- It has the ability to install or disable installed Mobile Antivirus software.
Once an Android device has been infected by that trojan, it will connect to the command and control center to receive the commands from the attacker, or the intruders.
After installation, the Trojan will install many other malicious android apps or games on the infected device, according to THN.
The Oldboot.B architecture has four key features, those that run automatically when booting the system, writing itself as a system service within the init.rc script:
1) boot_tst - uses a remote injection technique to pass an AA file and a JAR file to the procedure “system_server” of the Android system, constantly monitoring the sockets, to execute the commands sent.
2) adb_server - replaces the pm script of the Android system with itself and will be used to prevent the uninstallation of malware.
3) meta_chk - updates the configuration file, downloads and installs Android Apps in the background. The configuration file is encrypted, which significantly increases the time required to parse it.
To avoid detection, attackers have set meta_chk to self-destruct from the file system, and only use it for the injection process. Android security features do not support memory scanning on the Android platform, so they can not find or delete the oldboot Trojan that is there.
4) agentsysline - is written in the C ++ programming language, and acts as a daemon in the background to receive commands from the command and control server. This item can uninstall software anti-virus, delete specific files and enable or disable network connection etc.
