Oldboot: the first bootkit on Android

Oldboot: the first bootkit on Android

Qihoo 360 Technology Co. Ltd. (NYSE: QIHU)

Zihang Xiao, Qing Dong, Hao Zhang and Xuxian Jiang

Jan 17, 2014

——

A few days ago, we found an Android Trojan using brand new method to modify devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting. Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus product in the world can’t completely remove this Trojan or effectively repair the system. We named this Android Trojan family as Oldboot. As far as we know, this’s the first bootkit found on Android platform in the wild.

According to our statistics, as of today, there’re more than 500, 000 Android devices infected by this bootkit in China in last six months. We’ve released a new security tool (download) which can accurately detect and defines it.

Construction and behaviors of Oldboot

While an Android device be infected by Oldboot, its user will find some new applications which contain lots of advertisement frequently being installed to the system. In the installed applications list, the user will find a system application named GoogleKernel which can’t be uninstalled manually. Antivirus products, such as 360 Mobile Security, will classify this application as malware (Figure 1). However, after removing it and rebooting the device, the two previous phenomenon will occur again.

Oldboot is constituted by four executable or configuration files:

  • /init.rc, the configuration script for Android system’s booting which has been modified by Oldboot
  • /sbin/imei_chk, an ELF executable file for ARM architecture
  • /system/app/GoogleKernel.apk, an Android application which is installed as system application
  • /system/lib/libgooglekernel.so, the native library used by the GoogleKernel

Figure 1  Antivirus product classify the GoogleKernel as a malware
Figure 1 Antivirus product classify the GoogleKernel as a malware

These four files have complex calling relationship (Figure 2):

  1. When Android system is booting, it will read the init.rc, launch the imei_chk as system service and open related local socket;
  2. The imei_chk will then extract the libgooglekernel.so into /system/lib;
  3. The imei_chk will also extract the GoogleKernel.apk into /system/app;
  4. After system’s booting finished, the GoogleKernel.apk was installed as system application. It will periodically execute native code in the libgooglekernel.so to trigger malicious behaviors;
  5. The libgooglekernel.so will generate configurations or malicious commands, and pass them to Java code in the GoogleKernel.apk;
  6. The GoogleKernel.apk sends commands to the imei_chk through socket. These commands will be executed by the imei_chk at last.