Android boot kit infects 350,000devices
The
first ever Android Trojan with bootkit capabilities
has been discovered and that
the malware is already operating on some analyzed
by Dr.Web researchers, who warn
350,000
mobile devices around the world.
The
malware
- dubbed Oldboot - resides in the
memory
of infected devices and launches
itself
early on in the OS loading stage, they
say,
and believe that the Trojan is beingdistributed via modified firmware. To
ensure
persistence,
the attackers have inserted one
of
the Trojan's components into the boot
partition
of the file system, and have altered
the
script that is tasked with initializing the OS
components.
"When
the mobile phone is turned on, this
script
loads the code of the Trojan Linuxlibrary
imei_chk,
which extracts the files
libgooglekernel.so
and GoogleKernel.apk and
places
them in /system/lib and /system/app,
respectively,"
the researchers explained.
"Thus,
part of the Trojan Android.Oldboot is
installed
as a typical application which further
functions
as a system service and uses the
libgooglekernel.so
library to connect to a
remote
server and receive various commands,
most
notably, to download, install or remove
certain
applications."
Even
if other elements of the Trojan are
removed
successfully, the modified script will
restart
the installation process by triggering
the
imei_chk each time the device is rebooted.
Comments
Post a Comment