OldBoot: A New Bootkit for Android


First mentioned in a Chinese blog post, we’d like to provide more details on the first persistent Android malware. Research revealed a new Bootkit malware, currently the only one of its’ kind, that is already present in over 500,000 android devices in China. It goes by the name: Oldboot.

Oldboot appears to install several malicious APKs which then communicate with a C&C server based in China. Essentially, the attacker receives full Root access and permissions and becomes privy to all incoming and outgoing data. Unlike previous similar malware, due to its’ unique presence on the boot partition, it will reinstall itself every time the phone boots up – so even if the APK is identified and removed, the attacker keeps a persistent presence on the device.

Bootkit Malware?
Oldboot implements a brand new mechanism to modify a devices’ boot partition in order to extract a malicious application during the early stage of the system’s boot. Since the boot partition is loaded as a read-only RAM disk when Android starts up – it presents a major problem to Anti Virus solutions (AVs) – both in identification and mitigation. As we mentioned, even if AVs identify the malicious files, some can’t be deleted, while the others will be automatically reinstalled once the phone is restarted.
In PC terms, this is equivalent to a Trojan that attacks the BIOS. Despite the complexity of the process, several different types of malware (most notably, Trojan.Mebromi from 2011), have been previously been used – both for intelligence gathering and for more destructive purposes.
The main difference between Android and PC is down to hardware diversity. PC users don’t need to worry about this type of malware becoming widespread. BIOS flashing is so different from one motherboard manufacturer to another that it is almost impossible to develop code that does it reliably on the majority of systems. Android devices on the other hand, are much more generic. Therefore this poses a much bigger threat to mobile users.

Infection Methods
Infection methods seem to depend on the device and include:

  1. 1. Physical access to the device used for flashing a malicious image file to the boot partition of the device.
  2. after gaining root permission through other means, then forcibly writing the malicious files into the boot partition.

Mitigation and Solutions
First and foremost, we’d recommend correlating and comparing the real and displayed data usage patterns of your device. It isn’t difficult for the mobile Remote Access Trojan (mRAT) to operate in the background and bypass most conventional security checks. Once you know that a device has been infected, re-flashing with the original stock ROM should do the trick.

Oldboot definitely looks like another step forward for malware. It presents a sophisticated, persistent threat that may prove difficult to mitigate with conventional means. We’ll be keeping an eye out for more instances and any relevant updates.