A very dangerous Android bootkit Trojan resides on memory of infected device (discovered by DrWeb) that can re-install itself over and over again automatically even after users remove it from their Android device , has infected more than 350,000 devices
in various countries
Last week Drweb, warned users about a very dangerous bootkit Trojan called Android.Oldboot which is hard to remove once the Android device is infected. The trojan resides in the memory of infected devices and launches itself early on in the OS loading stage, acting as a bootkit.
This allows the Trojan to minimize the possibility that it will be deleted, without tampering with the device’s file system. Currently, this malignant program is operating on more than 350,000 mobile devices belonging to users in various countries, including Spain, Italy, Germany, Russia, Brazil, the USA and some Southeast Asian countries.
Android has been the center for malware infections for handheld devices since 2013. This is one of the most sophisticated Android malware which can cause a significant damage if infected.
As per Dr Web “To spread the Trojan, which entered the Dr.Web virus database as Android.Oldboot.1.origin, attackers have used a very unusual technique, namely, placing one of the Trojan components into the boot partition of the file system and modifying the init script which is responsible for the initialisation of OS components. When the mobile phone is turned on, this script loads the code of the Trojan Linux-library imei_chk (Dr.Web Anti-virus detects it as Android.Oldboot.1), which extracts the files libgooglekernel.so (Android.Oldboot.2) and GoogleKernel.apk (Android.Oldboot.1.origin) and places them in/system/lib and /system/app, respectively.”
The installed Trojan Android.Oldboot is installed as a normal application which means it acrs as a system service using libgooglekernel.so library to connect remote server to receive various commands, either to download, install or remove certain applications.”
The reason this malware is considered dangeroud is because imei_chk resides in the protected memory area and will re-install the malware after a the device is rebooted and, thus, re-infect the system.
Its believed that more than 350,000 devices have been infected worldwide China being the prime target.
Pic and news source Drweb